Usually Monday to Fridays are bit boring. Huh? may be tired of repeated stuffs or mood swings or even boring projects. Whatever be the reason, Friday’s usually make me happy. Hope its same for all. My weekends are all about fuzzing, finding vulnerabilities, disclosing responsibly, getting bounty $$$ blah blah.
So it’s a Weekend, some day in 3rd quarter month of 2017. All of a sudden got an assignment for testing a sample Web Application created on Pega’s Designing Platform. Well that’s something new to me though. My curiosity and interest pumped up a bit high to test this developer panel of Pega 7.2.2 ML.
Wiki provided me with the following: Pegasystems Inc. is an American software company based in Cambridge, Massachusetts. Founded in 1983, Pegasystems develops software for customer relationship management (CRM) and business process management (BPM).
Throttled my Kali VM on ready 2 go mode. A bit of information gathering made me more frustrated as less info being available. Keyed the Burp Pro against the hosted URL; spidering, active scaning, intruding and nothing interesting.
Started a ‘kutty’ (very small in South Indian Language) research on previously discovered vulnerabilities. Happily found some, but they all got fixed. What I’m gonna do?. No Idea?. Or am I going to waste a beautiful weekend?. Took some fresh air outside, with sweet sounds of the birds and glazing sunshine. There is always a reason why Kerala is called God’s Own Country.
Sat on Burp against the App, took page by page and parameter by parameter. Ended on the field where to update the name of Application created in Pega’s Designer Studio. Something I noticed weird, the Pega platform is accepting my inputs very kindly and showing ‘Updated’. Ahaaa!! That means I’m able to inject any arbitrary text to the ‘Title’ field. Why don’t I try some <> HTML tags or probably even Scripts.
Poured some petrol over my patience and curiosity, I injected <script> alert(“XSS”);</script>. Whoaaa Pega’s Platform accepted it and saved it as HTML itself. No filtering, no pull over & no censoring.
Tested it again, and verified it. Its a Persistant Cross Site Scripting Vulnerability. I was able to inject a script, which steals cookies of people visting the same page.
Thought of disclosing it responsibly to Pegasystems. But was so unlucky to find a Vulnerability Disclosure contact info. Finally decided to send to support email ID for Pegasystem. They replied for a Skype Call to confirm and recreation of vulnerability. So thrilled for a Video Call with Security Engineer at Pegasystem.
But meanwhile, My job required me an immediate travel to Riyadh, Saudi Arabia for few Penetration Testing Assignments. I like this Red team kind of activities than Blue Team. May be more like Purple team is acceptable, but not Blue for sure. I love breaking things, messing things, crashing, etc than to secure something. Huh, enough of some Blah Blah!.
Rescheduled the Skype call with an awesome staff (Security Engineer) of Pegasystems. He was so polite and friendly to discuss on the vulnerability and how it is recreated. After series of discussions, Pegassystems confirmed my vulnerability, and started the patching and CVE allocation proccess. As the Pegasystem is going for some CVE allocation process and SPECTRE/MELTDOWN came in between, my CVE allocation was delayed. Without loosing my hope and feeling the happiness, I waited long. Finally I got it allocated to CVE-2017-17478.
Pegasystems posted its acknowledgement at https://pdn.pega.com/pegasystems-security-bulletin-cve-2017-17478/pegasystems-security-bulletin-cve-2017-17478
Mitre Vulnerability Link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17478
Damn! happy for this. First CVE that I have discovered. NVD is still analysing the CVE-2017-17478 at the time of writing this.
After all I appreciate the effort took by the Pegasystems security engineer to confirm, recreate, resolve, and patch the vulnerability. Also I thank Pegasystems for supporting peoples like us for responsible disclosure.