1. INFORMATION

--------------

[+] CVE                : CVE-2022-43684

[+] Title : Insecure Access Control To Full Admin Compromise

[+] Vendor             : ServiceNow

[+] Publication date   : June 2023

[+] Credits            : Luke Symons, Tony Wu, Eldar Marcussen, Gareth
Phillips, Jeff Thomas, Nadeem Salim, and Stephen Bradshaw.




2. AFFECTED VERSIONS

--------------------

* Quebec prior to Patch 10 Hot Fix 8b

* Rome prior to Patch 10 Hot Fix 1

* San Diego prior to Patch 7

* Tokyo prior to Tokyo Patch 1; and

* Utah prior to Utah General Availability




3. DETAILS

----------

ServiceNow is a cloud-based platform that provides service management
software as a service (SaaS). It is used by a millions of companies
worldwide, and specializes in IT Service Management (ITSM), IT Operations
Management (ITOM), and IT Business Management (ITBM). It allows users to
manage incidents, service requests, problems, and changes within the IT
infrastructure of a business. It also provides a self-service portal where
end users can request IT services and log issues. During a security audit
it was identified that a threat actor could exploit a access control issue
and a number of other vulnerabilities and chain them together in a
ServiceNow instance leading to an effective account takeover to obtain
administrative access on the platform as a low privileged user.


An XHR request to xmlhttp.do with the "ChartDataProcessor" processor in the
POST request allows the enumeration of the ServiceNow GQL database,
including read access to the `sys_user_session` and `sys_user_token`
tables, which provide the necessary information to generate valid
`glide_user_activity` and `glide_session_store` cookies, and the
X-Usertoken header to allow privilege escalation to any previously
authenticated user.



4. Information

----

A blog writeup detailing the vulnerablties and issues aswell as a proof of
concept can be accessed at
https://x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/


5. Remediation

----

ServiceNow has released patches and an upgrade that address an Access
Control List (ACL) bypass issue in ServiceNow Core functionality.