1. INFORMATION -------------- [+] CVE : CVE-2022-43684 [+] Title : Insecure Access Control To Full Admin Compromise [+] Vendor : ServiceNow [+] Publication date : June 2023 [+] Credits : Luke Symons, Tony Wu, Eldar Marcussen, Gareth Phillips, Jeff Thomas, Nadeem Salim, and Stephen Bradshaw. 2. AFFECTED VERSIONS -------------------- * Quebec prior to Patch 10 Hot Fix 8b * Rome prior to Patch 10 Hot Fix 1 * San Diego prior to Patch 7 * Tokyo prior to Tokyo Patch 1; and * Utah prior to Utah General Availability 3. DETAILS ---------- ServiceNow is a cloud-based platform that provides service management software as a service (SaaS). It is used by a millions of companies worldwide, and specializes in IT Service Management (ITSM), IT Operations Management (ITOM), and IT Business Management (ITBM). It allows users to manage incidents, service requests, problems, and changes within the IT infrastructure of a business. It also provides a self-service portal where end users can request IT services and log issues. During a security audit it was identified that a threat actor could exploit a access control issue and a number of other vulnerabilities and chain them together in a ServiceNow instance leading to an effective account takeover to obtain administrative access on the platform as a low privileged user. An XHR request to xmlhttp.do with the "ChartDataProcessor" processor in the POST request allows the enumeration of the ServiceNow GQL database, including read access to the `sys_user_session` and `sys_user_token` tables, which provide the necessary information to generate valid `glide_user_activity` and `glide_session_store` cookies, and the X-Usertoken header to allow privilege escalation to any previously authenticated user. 4. Information ---- A blog writeup detailing the vulnerablties and issues aswell as a proof of concept can be accessed at https://x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/ 5. Remediation ---- ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality.