exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Blue Prism Robotic Process Automation (RPA) Privilege Escalation

Blue Prism Robotic Process Automation (RPA) Privilege Escalation
Posted May 22, 2019
Authored by Benjamin Hess | Site syss.de

Blue Prism Robotic Process Automation (RPA) versions prior to 6.5.0.12573 suffer from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2019-11875
SHA-256 | 6135a2b9c51d5180a54bad7920ef8a1809f6efa7effd249711a4d0fd4afccc24

Blue Prism Robotic Process Automation (RPA) Privilege Escalation

Change Mirror Download
------------------------------------------------------------------------
SySS Security Advisory: Blue Prism Robotic Process Automation (RPA) - Privilege Escalation
------------------------------------------------------------------------

Advisory ID: SYSS-2019-002
Product: Blue Prism Robotic Process Automation (RPA)
Manufacturer: Blue Prism
Affected Version(s): Before 6.5.0.12573
Tested Version(s): 6.4.0.8445, Before 6.5.0.12573
Vulnerability Type: Improper Access Control (CWE-284)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2019-02-01
Solution Date: Around 2019-05-10
Public Disclosure: 2019-05-22
CVE Reference: CVE-2019-11875
Author of Advisory: Benjamin Hess, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Blue Prism is an RPA platform that enables companies to manage and
deploy their digital workforce composed of software robots.

The manufacturer describes the product as follows (see [1]):

"Blue Prism Digital Workers have Intelligent Automation Skills that make
it easier than ever for organizations to leverage technologies that
deliver true operational agility."

Due to a missing permission check for certain actions on the server side
the software is vulnerable to privilege escalation.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A vulnerability in the access control of the software can be exploited
to escalate privileges. The vulnerability allows for abusing the
application for fraud or unauthorized access to certain information.

The attack requires a valid user account to connect to the Blue Prism
server, but the roles associated to this account are not required to
have any permissions.
First of all, the application files are modified to grant full
permissions on the client side.
In a test environment (or his own instance of the software) an attacker
is able to grant himself full privileges also on the server side.
He can then, for instance, create a process with malicious behavior and
export it to disk.
With the modified client, it is possible to import the exported file as
a release and overwrite any existing process in the database.
Eventually, the bots execute the malicious process.

The server does not check the user's permissions for the aforementioned
actions, such that a modification of the client software enables this
kind of attack.

Possible scenarios may involve changing bank accounts or setting
passwords.




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the tool dnSpy [2] the "AutomateAppCore.dll" can be decompiled and
modified. The namespace "BluePrism.AutomateAppCore.Auth" contains the
class "User". The body of the member function with prototype

public bool HasPermission(ICollection<Permission> perms)

needs to be changed to:

return true;

After compiling the modified assembly and replacing the original library
file, the client grants access to all menus and buttons regardless of
the role of the logged in user.

One can now start the software and sign in to the desired target.
It is then possible to open the tab "Releases", where one may create new
packages or modify existing ones, create new releases or import a
release from disk.

By performing a right-click in the tree with the releases, one can
choose "Import release" and select the corresponding file on disk.
If the file contains a process from the current database that was
modified in a malicious way, the process in the database is overwritten.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer fixed the vulnerability in version 6.5.0.12573.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-01-30: Vulnerability discovered
2019-02-01: Vulnerability reported to manufacturer
2019-05-10: It was found that the bug was fixed by the manufacturer
2019-05-15: Manufacturer confirmed affected versions
2019-05-22: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Blue Prism Robotic Process Automation
https://www.blueprism.com/product
[2] dnSpy debugger and .NET assembly editor
https://github.com/0xd4d/dnSpy
[3] SySS Security Advisory SYSS-2019-002
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-002.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Benjamin Hess of SySS GmbH.

E-Mail: benjamin.hess@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Benjamin_Hess.asc
Key ID: 0x1331325C
Key Fingerprint: D73C 3C3D 746C 66C3 D0AE BED8 7FD5 638E 1331 325C

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close