Product: Pentaho Business Analytics / Pentaho Business Server Vendor / Manufacturer: Hitachi Affected Version(s): <= 9.1 Vulnerability Type: Remote Code Execution through Pentaho Report Bundles Solution Status: Fix Released on public GitHub repository Manufacturer Notification: 8th February 2021 Solution Date: May 2021 Public Disclosure: 01 November 2021 CVE Reference: CVE-2021-31599 Author(s) of Advisory: Alberto Favero ( HawSec ) & Altion Malka --- ### --- ### --- Product Description: Pentaho is business intelligence (BI) software that provides data integration, OLAP services, reporting, information dashboards, data mining and extract, transform, load (ETL) capabilities. Its headquarters are in Orlando, Florida. Pentaho was acquired by Hitachi Data Systems in 2015 and in 2017 became part of Hitachi Vantara. ( Source: https://en.wikipedia.org/wiki/Pentaho ) --- ### --- ### --- Vulnerability Details: Pentaho allows users to create and run Pentaho Report Bundles (.prpt). Users can create PRPT reports by utilizing the Pentaho Designer application and can include BeanShell Script functions to ease the production of complex reports. However, the BeanShell Script functions can allow for the execution of arbitrary Java code when Pentaho PRPT Reports are run by Pentaho Business Analytics. This functionality allows any user with sufficient privileges to upload or edit an existing Pentaho Report Bundle (through Pentaho Designer) and execute arbitrary code in the context of the Pentaho application user running on the web server. The following proof-of-concept BeanShell Expression demonstrates Remote Code Execution on the underlying host server of the Pentaho application. --- ~~~ --- ~~~ --- // BeanShell Expression getValue() { // Detect the underlying Operating System boolean isWindowsOS = System.getProperty("os.name ").toLowerCase().startsWith("windows"); if (isWindows) { // Spawning Windows Calculator App Runtime.getRuntime().exec("calc.exe"); } else { // Executing the Linux ‘whoami’ command Runtime.getRuntime().exec("whoami"); } } // Returns the string “done” When the PRPT report is executed return ("Done!"); } --- ~~~ --- ~~~ --- --- ### --- ### --- Proof of Concept (PoC): See Ginger ( https://github.com/HawSec/ginger ) or the attaced PRPT file --- ### --- ### --- References: - https://beanshell.github.io/intro.html - https://javadoc.pentaho.com/reporting/pentaho-reporting-engine-classic-core/org/pentaho/reporting/engine/classic/core/modules/misc/beanshell/BSHExpression.html#getValue() --- ### --- ### --- Credits: This vulnerability was discovered by Alberto Favero & Altion Malka --- ### --- ### --- -- BlackHawk - hawkgotyou@gmail.com Experientia senum, agilitas iuvenum. Adversa fortiter. Dubia prudenter.