exploit the possibilities

Blue Prism Robotic Process Automation (RPA) Privilege Escalation

Blue Prism Robotic Process Automation (RPA) Privilege Escalation
Posted May 22, 2019
Authored by Benjamin Hess

Blue Prism Robotic Process Automation (RPA) versions prior to 6.5.0.12573 suffer from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2019-11875
MD5 | f424dfb980dcc7fce293cc0072ec0ff6

Blue Prism Robotic Process Automation (RPA) Privilege Escalation

Change Mirror Download
------------------------------------------------------------------------
SySS Security Advisory: Blue Prism Robotic Process Automation (RPA) - Privilege Escalation
------------------------------------------------------------------------

Advisory ID: SYSS-2019-002
Product: Blue Prism Robotic Process Automation (RPA)
Manufacturer: Blue Prism
Affected Version(s): Before 6.5.0.12573
Tested Version(s): 6.4.0.8445, Before 6.5.0.12573
Vulnerability Type: Improper Access Control (CWE-284)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2019-02-01
Solution Date: Around 2019-05-10
Public Disclosure: 2019-05-22
CVE Reference: CVE-2019-11875
Author of Advisory: Benjamin Hess, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Blue Prism is an RPA platform that enables companies to manage and
deploy their digital workforce composed of software robots.

The manufacturer describes the product as follows (see [1]):

"Blue Prism Digital Workers have Intelligent Automation Skills that make
it easier than ever for organizations to leverage technologies that
deliver true operational agility."

Due to a missing permission check for certain actions on the server side
the software is vulnerable to privilege escalation.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A vulnerability in the access control of the software can be exploited
to escalate privileges. The vulnerability allows for abusing the
application for fraud or unauthorized access to certain information.

The attack requires a valid user account to connect to the Blue Prism
server, but the roles associated to this account are not required to
have any permissions.
First of all, the application files are modified to grant full
permissions on the client side.
In a test environment (or his own instance of the software) an attacker
is able to grant himself full privileges also on the server side.
He can then, for instance, create a process with malicious behavior and
export it to disk.
With the modified client, it is possible to import the exported file as
a release and overwrite any existing process in the database.
Eventually, the bots execute the malicious process.

The server does not check the user's permissions for the aforementioned
actions, such that a modification of the client software enables this
kind of attack.

Possible scenarios may involve changing bank accounts or setting
passwords.




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the tool dnSpy [2] the "AutomateAppCore.dll" can be decompiled and
modified. The namespace "BluePrism.AutomateAppCore.Auth" contains the
class "User". The body of the member function with prototype

public bool HasPermission(ICollection<Permission> perms)

needs to be changed to:

return true;

After compiling the modified assembly and replacing the original library
file, the client grants access to all menus and buttons regardless of
the role of the logged in user.

One can now start the software and sign in to the desired target.
It is then possible to open the tab "Releases", where one may create new
packages or modify existing ones, create new releases or import a
release from disk.

By performing a right-click in the tree with the releases, one can
choose "Import release" and select the corresponding file on disk.
If the file contains a process from the current database that was
modified in a malicious way, the process in the database is overwritten.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer fixed the vulnerability in version 6.5.0.12573.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-01-30: Vulnerability discovered
2019-02-01: Vulnerability reported to manufacturer
2019-05-10: It was found that the bug was fixed by the manufacturer
2019-05-15: Manufacturer confirmed affected versions
2019-05-22: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Blue Prism Robotic Process Automation
https://www.blueprism.com/product
[2] dnSpy debugger and .NET assembly editor
https://github.com/0xd4d/dnSpy
[3] SySS Security Advisory SYSS-2019-002
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-002.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Benjamin Hess of SySS GmbH.

E-Mail: benjamin.hess@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Benjamin_Hess.asc
Key ID: 0x1331325C
Key Fingerprint: D73C 3C3D 746C 66C3 D0AE BED8 7FD5 638E 1331 325C

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    19 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close