Technical Analysis of "Chaining Three Bugs to Access All Your ServiceNow Data"

Overview:
This write-up by Assetnote details how a chain of three vulnerabilities was exploited to gain unrestricted access to ServiceNow's internal data. The attack demonstrates the critical importance of securing each layer of a web application. Here's a breakdown of the technical details and key takeaways from the write-up.

Key Technical Details:

1. Insecure Direct Object Reference (IDOR)

IDOR vulnerabilities occur when an application provides direct access to objects based on user-supplied input without proper authorization checks. - Endpoint Misconfiguration: The research identified that ServiceNow allowed sequentially numbering records, like incident tickets, which could be accessed directly via their IDs e.g., /incident/ followed by a sequential number. - Impact: Authorized users could access records they were not meant to, by simply altering the ID parameter in the URL.

2. JSON Web Token (JWT) Misconfiguration

JWTs are used for secure transmission of information between parties as a JSON object. - Algorithm Confusion: They discovered that the implementation allowed for the algorithm to be changed from the secure RS256 (RSA with SHA-256) to the insecure HS256 (HMAC with SHA-256). - RS256 utilizes an asymmetric key pair (public/private key) which is generally robust, while HS256 uses a shared secret key. - Exploitation: - The attacker could create a token using HS256 with a symmetric key. - By setting the algorithm to HS256, the application erroneously interpreted the key as valid, allowing attackers to forge and sign their own tokens.

3. Server-Side Request Forgery (SSRF)

SSRF vulnerabilities allow an attacker to make arbitrary requests to internal systems. - Misuse of External API Endpoints: The third vulnerability exploited ServiceNow's ability to fetch external resources. The researcher found that they could manipulate the URL to make internal requests, leading to sensitive data disclosure. - Internal Services Access: Requests could be made to internal services not meant to be exposed externally.

Chaining the Vulnerabilities

Combining these three vulnerabilities enabled a more powerful exploit than any individual flaw:

  1. IDOR for Initial Access:

    • The attacker starts by exploiting the IDOR vulnerability to identify sensitive endpoints (like API endpoints or internal admin pages) within ServiceNow that respond with JSON Web Tokens (JWTs).
  2. JWT Misconfiguration:

    • Using the IDOR vulnerability, the attacker can retrieve a JWT token from the exposed endpoint.
    • By changing the JWT signing algorithm to HS256 and creating a forged token, the attacker accesses authenticated endpoints of the ServiceNow API.
  3. SSRF Exploitation:

    • Utilizing the forged JWT, the attacker can access API endpoints that allow URL fetching.
    • They then exploit SSRF vulnerabilities by sending requests to internal ServiceNow endpoints, bypassing network restrictions and obtaining unrestricted access to sensitive internal data.

Key Takeaways:

Conclusion:

The research illustrates that even a sophisticated platform like ServiceNow can be compromised through multiple chained vulnerabilities. Each vulnerability on its own might seem manageable, but together they can be devastating. This underscores the significance of holistic security practices to safeguard web applications.

For the complete write-up, refer to the original blog post here.