Chaining Three Bugs to Access All Your ServiceNow Data
ServiceNow is a platform for business transformation. Through their modules, ServiceNow can be used for anything ranging from HR and employee management, to automation workflows, or as a knowledge-base. We began security research into this platform for several reasons, which together make ServiceNow a potentially attractive target:
Through the course of three to four weeks, we were able to find a chain of vulnerabilities that allows full database access and full access to any MID servers configured.
ServiceNow is a Java monolith weighing over 20GB in .jar files alone. Typically, you would not self-host this but would provision a cloud instance instead. ServiceNow offers free developer instances at https://developer.servicenow.com/ in a shared tenancy setup, which is extremely useful for testing and debugging.
Since ServiceNow is designed to be ultra customizable, a lot of the configuration is done in a database; unlike a typical Java application, where a bunch of servlets are registered in a web.xml and endpoints are hardcoded into the application, a ServiceNow instance will consult a set of database tables to determine where to route most requests.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23951575/VRG_Illo_STK192_L_Normand_LinaKhan_Neutral.jpg)
