Vendor description
"OpenText™ Extended ECM is an enterprise CMS platform that securely governs the information lifecycle by integrating with leading enterprise applications, such as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content and processes together, Extended ECM provides access to information when and where it’s needed, improves decision-making and drives operational effectiveness."
Source: https://www.opentext.com/products/extended-ecm
Business recommendation
The vendor provides a patch which should be installed immediately.
Vulnerability Overview/Description
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)
The Common Gateway Interface (CGI) program cs.exe of the Content Server has a vulnerability, which allows an attacker to increase/decrease an arbitrary memory address by 1 and to trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker.
The cs.exe does de-serialize (crack) the user provided data in the `_fInArgs` parameter, if the parameter `_ApiName` is set. During this de-serialization to a `class KOSValue` object, the function `obj_ref_cracker` can be called. This function tries to create a new `class KOSValue` object with an unknown class ID of `3`.
As the class ID is unknown the function returns an object of type KOSValueBaseClass instead of KOSObjRefClass, but the value of the class_ptr attribute of the new class KOSValue object is controlled by the attacker. This new object can then be used to increase/decrease arbitrary memory addresses and call methods of its vftable via the functions KOSValueBaseClass::AddReference and KOSValueBaseClass::ReleaseReference.
Proof of concept
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)
The following request crashes the `CGI` binary cs.exe with an access violation exception - 0xC0000005 trying to read memory from address 0xAAAA+8:
[ PoC removed, will be published at a later date ]There are .dll files (libaprutil-1 & libapriconv-1.dll) which are not compiled with the security flag Address Space Layout Randomization - ASLR enabled, which can be used to achieve remote code execution.
.\winchecksec.exe --json (get-item C:\OPENTEXT-22\cgi\*.dll) > .\checksec-results.jsoncat checksec-results.json | jq -r '.[] | [.path, .mitigations.aslr.presence] | @csv'
"icudt69.dll","Present"
"icuin69.dll","Present"
"icuio69.dll","Present"
"icutu69.dll","Present"
"icuuc69.dll","Present"
"jsoncpp.dll","Present"
"libapr-1.dll","Present"
"libapriconv-1.dll","NotPresent"
"libaprutil-1.dll","NotPresent"
"libcrypto-1_1-x64.dll","Present"
"libexpat.dll","Present"
"libssl-1_1-x64.dll","Present"
"llcrypt.dll","Present"
"llisapi.dll","Present"
"llkernel.dll","Present"
"llresources.dll","Present"
"log4cxx.dll","Present"
"PocoFoundation.dll","Present"
Vulnerable / tested versions
The following version has been tested:
- 22.1 (16.2.19.1803)
The following versions are vulnerable according to the vendor:
- 20.4 - 22.3