CVE-2022-45923: Pre-authenticated Remote Code Execution in cs.exe (OpenText™ Server Component)

There is a vulnerability in the “cs.exe” program of the OpenText™ Content Server component of OpenText™ Extended ECM, which allows an attacker to create an object with a fake “vftable” and execute arbitrary code by abusing a DLL which was compiled without ASLR.

Vendor description

“OpenText™ Extended ECM is an enterprise CMS platform that securely governs the information lifecycle by integrating with leading enterprise applications, such as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content and processes together, Extended ECM provides access to information when and where it’s needed, improves decision-making and drives operational effectiveness.”

Source: https://www.opentext.com/products/extended-ecm

Business recommendation

The vendor provides a patch which should be installed immediately.

Vulnerability Overview/Description****1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)

The Common Gateway Interface (CGI) program cs.exe of the Content Server has a vulnerability, which allows an attacker to increase/decrease an arbitrary memory address by 1 and to trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker.

The cs.exe does de-serialize (crack) the user provided data in the `_fInArgs` parameter, if the parameter `_ApiName` is set. During this de-serialization to a `class KOSValue` object, the function `obj_ref_cracker` can be called. This function tries to create a new `class KOSValue` object with an unknown class ID of `3`.

As the class ID is unknown the function returns an object of type KOSValueBaseClass instead of KOSObjRefClass, but the value of the class_ptr attribute of the new class KOSValue object is controlled by the attacker. This new object can then be used to increase/decrease arbitrary memory addresses and call methods of its vftable via the functions KOSValueBaseClass::AddReference and KOSValueBaseClass::ReleaseReference.

Proof of concept****1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)

The following request crashes the `CGI` binary cs.exe with an access violation exception - 0xC0000005 trying to read memory from address 0xAAAA+8:

[ PoC removed, will be published at a later date ]

There are .dll files (libaprutil-1 & libapriconv-1.dll) which are not compiled with the security flag Address Space Layout Randomization - ASLR enabled, which can be used to achieve remote code execution.

.\winchecksec.exe --json (get-item C:\OPENTEXT-22\cgi\*.dll) > .\checksec-results.json

cat checksec-results.json | jq -r '.[] | [.path, .mitigations.aslr.presence] | @csv'

"icudt69.dll","Present"
"icuin69.dll","Present"
"icuio69.dll","Present"
"icutu69.dll","Present"
"icuuc69.dll","Present"
"jsoncpp.dll","Present"
"libapr-1.dll","Present"
"libapriconv-1.dll","NotPresent"
"libaprutil-1.dll","NotPresent"
"libcrypto-1_1-x64.dll","Present"
"libexpat.dll","Present"
"libssl-1_1-x64.dll","Present"
"llcrypt.dll","Present"
"llisapi.dll","Present"
"llkernel.dll","Present"
"llresources.dll","Present"
"log4cxx.dll","Present"
"PocoFoundation.dll","Present"

Vulnerable / tested versions

The following version has been tested:

• 22.1 (16.2.19.1803)

The following versions are vulnerable according to the vendor:

• 20.4 - 22.3

Vendor contact timeline