Blue Prism Robotic Process Automation (RPA) Privilege Escalation

`------------------------------------------------------------------------  
SySS Security Advisory: Blue Prism Robotic Process Automation (RPA) - Privilege Escalation  
------------------------------------------------------------------------  
  
Advisory ID: SYSS-2019-002   
Product: Blue Prism Robotic Process Automation (RPA)  
Manufacturer: Blue Prism  
Affected Version(s): Before 6.5.0.12573  
Tested Version(s): 6.4.0.8445, Before 6.5.0.12573  
Vulnerability Type: Improper Access Control (CWE-284)   
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2019-02-01  
Solution Date: Around 2019-05-10   
Public Disclosure: 2019-05-22  
CVE Reference: CVE-2019-11875  
Author of Advisory: Benjamin Hess, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Blue Prism is an RPA platform that enables companies to manage and   
deploy their digital workforce composed of software robots.   
  
The manufacturer describes the product as follows (see [1]):  
  
"Blue Prism Digital Workers have Intelligent Automation Skills that make  
it easier than ever for organizations to leverage technologies that  
deliver true operational agility."  
  
Due to a missing permission check for certain actions on the server side  
the software is vulnerable to privilege escalation.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
A vulnerability in the access control of the software can be exploited   
to escalate privileges. The vulnerability allows for abusing the  
application for fraud or unauthorized access to certain information.   
  
The attack requires a valid user account to connect to the Blue Prism  
server, but the roles associated to this account are not required to   
have any permissions.  
First of all, the application files are modified to grant full   
permissions on the client side.  
In a test environment (or his own instance of the software) an attacker  
is able to grant himself full privileges also on the server side.  
He can then, for instance, create a process with malicious behavior and   
export it to disk.  
With the modified client, it is possible to import the exported file as   
a release and overwrite any existing process in the database.  
Eventually, the bots execute the malicious process.  
  
The server does not check the user's permissions for the aforementioned  
actions, such that a modification of the client software enables this  
kind of attack.  
  
Possible scenarios may involve changing bank accounts or setting   
passwords.  
  
  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
Using the tool dnSpy [2] the "AutomateAppCore.dll" can be decompiled and  
modified. The namespace "BluePrism.AutomateAppCore.Auth" contains the   
class "User". The body of the member function with prototype  
  
public bool HasPermission(ICollection<Permission> perms)  
  
needs to be changed to:  
  
return true;  
  
After compiling the modified assembly and replacing the original library  
file, the client grants access to all menus and buttons regardless of  
the role of the logged in user.  
  
One can now start the software and sign in to the desired target.  
It is then possible to open the tab "Releases", where one may create new  
packages or modify existing ones, create new releases or import a   
release from disk.  
  
By performing a right-click in the tree with the releases, one can   
choose "Import release" and select the corresponding file on disk.  
If the file contains a process from the current database that was   
modified in a malicious way, the process in the database is overwritten.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The manufacturer fixed the vulnerability in version 6.5.0.12573.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2019-01-30: Vulnerability discovered  
2019-02-01: Vulnerability reported to manufacturer  
2019-05-10: It was found that the bug was fixed by the manufacturer  
2019-05-15: Manufacturer confirmed affected versions  
2019-05-22: Public release of the security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Blue Prism Robotic Process Automation  
https://www.blueprism.com/product  
[2] dnSpy debugger and .NET assembly editor  
https://github.com/0xd4d/dnSpy  
[3] SySS Security Advisory SYSS-2019-002  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-002.txt  
[4] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Benjamin Hess of SySS GmbH.  
  
E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Benjamin_Hess.asc  
Key ID: 0x1331325C  
Key Fingerprint: D73C 3C3D 746C 66C3 D0AE BED8 7FD5 638E 1331 325C   
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
`