OpenText Extended ECM 22.3 Java Frontend Remote Code Execution

SEC Consult Vulnerability Lab Security Advisory < 20230117-1 >=======================================================================               title: Pre-authenticated Remote Code Execution via Java frontend                      and QDS endpoint             product: OpenText™ Content Server component of OpenText™ Extended ECM  vulnerable version: 20.4 - 22.3       fixed version: 22.4          CVE number: CVE-2022-45927              impact: Critical            homepage: https://www.opentext.com               found: 2022-09-16                  by: Armin Stock (Atos)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Atos company                      Europe | Asia | North America                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"OpenText™ Extended ECM is an enterprise CMS platform that securely governs theinformation lifecycle by integrating with leading enterprise applications, suchas SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing contentand processes together, Extended ECM provides access to information when andwhere it’s needed, improves decision-making and drives operational effectiveness."Source: https://www.opentext.com/products/extended-ecmBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.Vulnerability overview/description:-----------------------------------1) Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint (CVE-2022-45927)The `QDS` endpoints of the `Content Server` are not protected by the normaluser management functionality of the `Content Server`, but check the value ofthe key `_REQUEST` of the incoming data. Normally this parameter is set by theHTTP frontend (e.g. the `CGI` binary `cs.exe` or `Java` application servlet) to`llweb`.There is a bug in the `Java` application server, found in`%OT_BASE%/application/cs.war`, which allows an attacker to actually set thevalue of the key `_REQUEST` to an arbitrary value and bypass the authorizationchecks.Most of the endpoints cannot be called, because they require specific data typesof the incoming data, which can not be controlled by the attacker. Only stringsare supported. But a few endpoints can be called which allow an attacker to createfiles or execute arbitrary code on the server.Proof of concept:-----------------1) Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint (CVE-2022-45927)To be able to set the value of the `_REQUEST` parameter the attacker has tosend the data via a `POST` request with a `Content-Type` of `multipart/form-data`.This results in the following execution flow:-------------------------------------------------------------------------------[ Details removed, will be published at a later date ]-------------------------------------------------------------------------------The following request (using the `CGI` frontend) results in an unauthorizedresponse:-------------------------------------------------------------------------------[ PoC removed, will be published at a later date ]--------------------------------------------------------------------------------------------------------------------------------------------------------------<!-- Response --><div class="cs-form-container cs-form-message-container">   <div>     <div class="cs-form-line-text cs-form-message cs-form-message-error" title="Error" id="errMsg" >       <p>         Content Server Error:       </p>       <p>         The request did not come from XXX.       </p>     </div>   </div></div>-------------------------------------------------------------------------------Whereas using the `Java` application server results in the following response:-------------------------------------------------------------------------------HTTP/1.1 200A<1,?,'ErrMsg'=?,'ErrMsgDetail'=?,'OK'=true,'QDSServerList'={}>Content-Type: text/html;charset=UTF-8Cache-Control: no-cacheX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self'X-UA-Compatible: IE=edgeContent-Length: 0Date: Tue, 27 Sep 2022 13:04:47 GMTConnection: close-------------------------------------------------------------------------------Create new objects:Using this bug it is possible to create objects in the `Content Server` withoutknown credentials and in the context of the super-admin user ( ID `1000` ), bycalling the endpoint `[ Details removed, will be published at a later date ]`.-------------------------------------------------------------------------------[ PoC removed, will be published at a later date ]-------------------------------------------------------------------------------The new object (subType = `145` text file) is created without providing cookiesand the `owner` attribute of this object is set to `1000` (super admin):-------------------------------------------------------------------------------HTTP/1.1 200A<1,?,'CATEGORY'=?,'CloneTime'=D/2022/9/28: 8:10:5,'COMMENT'='created','ContentType'=?,'CREATEDATE'=D/2022/9/28:8:10:5,'CREATEDBY'=1000,'DataID'=51982,'DATELASTMODIFY'=D/2022/9/28:8:10:5,'EXATT1'=?,'EXATT2'=?,'EXTENDEDDATA'=?,'GROUPPERM'=128,'location'=E648871951,'MAJOR'=?,'MAXVERSION'=-1,'MINOR'=?,'Name'='qds-create-poc.txt','nextURL'=E648871951,'Node'=A<1,?,'AssignedTo'=?,'CacheExpiration'=0,'Catalog'=0,'ChildCount'=0,'CreateDate'=D/2022/9/28:8:10:5,'CreatedBy'=1000,'DataID'=51982,'DataType'=?,'DateAssigned'=?,'DateCompleted'=?,'DateDue'=?,'DateEffective'=?,'DateExpiration'=?,'DateStarted'=?,'DCategory'=?,'DComment'='created','Deleted'=0,'ExAtt1'=?,'ExAtt2'=?,'ExtendedData'=?,'ExternalCreateDate'=?,'ExternalCreatorID'=?,'ExternalModifyDate'=?,'ExternalSourceID'=?,'GIF'=?,'GPermissions'=128,'GroupID'=999,'GUID'='@[537A1229-E0F5-45EE-A3F2-D7F91EE6CBBC]','Major'=?,'MaxVers'=-1,'Minor'=?,'ModifiedBy'=1000,'ModifyDate'=D/2022/9/28:8:10:5,'Multilingual'=V{<'LanguageCode','Name','DComment'><'de','qds-create-poc.txt','created'>},'Name'='qds-create-poc.txt','Ordering'=?,'OriginDataID'=0,'OriginOwnerID'=0,'OwnerID'=-2004,'ParentID'=2004,'PermID'=?,'Priority'=?,'ReleaseRef'=?,'Reserved'=0,'ReservedBy'=0,'ReservedDate'=?,'SPermissions'=16777215,'Status'=?,'SubType'=144,'UPermissions'=16777215,'UserID'=1000,'VersionNum'=1,'WPermissions'=128>,'OK'=true,'ORDERING'=?,'ORIGINALID'=0,'ORIGINALVOLID'=0,'PARENTID'=2004,'PERMISSIONS'=-2130706433,'PermsOK'=true,'Public'=false,'RELEASEREF'=?,'RESERVED'=0,'RESERVEDBY'=0,'RESERVEDDATE'=?,'SUBTYPE'=144,'SYSTEMPERM'=16777215,'USERID'=1000,'USERPERM'=16777215,'VERSION'=A<1,?,'DataSize'=6,'DocID'=51982,'ExternalCreateDate'=?,'ExternalCreatorID'=?,'ExternalModifyDate'=?,'ExternalSourceID'=?,'FileCDate'=D/2022/9/28:8:10:5,'FileCreator'=?,'FileMDate'=D/2022/9/28:8:10:5,'FileName'='qds-create-poc.txt','FileType'='html','GUID'='@[DF09D9F7-6A86-40CB-AECD-57FD5FB7D38B]','Indexed'=0,'Locked'=0,'LockedBy'=?,'LockedDate'=?,'MimeType'='text/html','Owner'=1000,'PageNum'=?,'Platform'=0,'ProviderId'=51982,'ProviderName'='SQL','ResSize'=0,'VerCDate'=D/2022/9/28:8:10:5,'VerComment'=?,'VerMajor'=0,'VerMDate'=D/2022/9/28:8:10:5,'VerMinor'=1,'Version'=1,'VersionID'=51982,'VersionName'='1','VerType'=?>,'versionInfo'=A<1,?,'COMMENT'=?,'CREATEDATE'=D/2022/9/28:8:10:5,'FILECREATEDATE'=D/2022/9/28:8:10:5,'FILECREATOR'=?,'FILEDATASIZE'=6,'FILEMODIFYDATE'=D/2022/9/28:8:10:5,'FILENAME'='qds-create-poc.txt','FILEPLATFORM'=0,'FILERESSIZE'=0,'FILETYPE'='html','ID'=51982,'INDEXED'=0,'LOCKED'=0,'LOCKEDBY'=?,'LOCKEDDATE'=?,'MIMETYPE'='text/html','MODIFYDATE'=D/2022/9/28:8:10:5,'NAME'='1','NODEID'=51982,'NUMBER'=1,'OWNER'=1000,'PROVIDERID'=51982,'PROVIDERNAME'='SQL','TYPE'=?>,'VOLUMEID'=-2004,'WORLDPERM'=128>Content-Type: text/html;charset=UTF-8Cache-Control: no-cacheX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors 'self'X-UA-Compatible: IE=edgeContent-Length: 0Date: Wed, 28 Sep 2022 08:10:05 GMTConnection: close-------------------------------------------------------------------------------There is a process object (`typeId` = 271), which can be created and executedafterwards allowing attackers to execute arbitrary code.Vulnerable / tested versions:-----------------------------The following version has been tested:* 22.1 (16.2.19.1803)The following versions are vulnerable according to the vendor:* 20.4 - 22.3Vendor contact timeline:------------------------2022-10-07: Vendor contacted via [email protected]: Vendor acknowledged the email and is reviewing the reports2022-11-18: Vendor confirms all vulnerabilities and is working on a patch aimed to             be released in November2022-11-24: Vendor delays the patch "few days/weeks into December"2022-11-25: Requesting CVE numbers (Mitre)2022-12-15: Vendor delays the patch and provides a release date: January 16th 20232023-01-17: Public release of security advisorySolution:---------Upgrade to at least version 22.4 or apply hotfixes which can be downloaded atthe vendor's page:https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0781429Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC Consult, an Atos companyEurope | Asia | North AmericaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anAtos company. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF Armin Stock / @2023