A stupid auth bypass (for the app, great find by the researcher), and a service-side template injection in Pentaho. Starting with the SSTI, Pentaho has a few endpoints to configure and test LDAP connections, to do so it creates an XML-based bean definition and properties file containing all the user-provided data. As this is administrative functionality the input is just trusted, and as such Thymeleaf templates can be included in the properties that will be parsed and executed. As you’d expect these templates can call arbitrary Java, such as invoking the java.lang.Runtime class and .getRuntime().exec(...) methods for arbitrary code execution.

http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a

Pretty straight forward code execution, but privileged off.

In come the the authorization bypass. Pentaho has various authorization checks, but for unauthenticated access, the primary control is a set of regular expressions which define the allowed endpoints. The regex allows any path ending with /require.js to be access by an unauthenticated user. For most of the application’s endpoints, just adding /require.js would break the routing and not actually lead to accessing any sensitive endpoints. One endpoint that would still be correctly resolved is the previously mentioned api/ldap/config/ldapTreeNodeChildren endpoint.