Researchers have uncovered two critical pre-authentication vulnerabilities in the OpenText Extended ECM content management system that could allow an attacker to gain remote code execution on vulnerable servers.
Both vulnerabilities are present in versions 20.4-22.3 of Extended ECM and are fixed in version 22.4, which OpenText released last week. Extended ECM is an enterprise content management system designed to integrate with a variety of other applications, including Salesforce, SAP, and Microsoft 365. Researchers at SEC Consult discovered the vulnerabilities and disclosed them to OpenText in October.
The first bug (CVE-2022-45923) is in the cs.exe component of Extended ECM server and is a result of the way that it handles some user input.
“The Common Gateway Interface (CGI) program cs.exe of the Content Server has a vulnerability, which allows an attacker to increase/decrease an arbitrary memory address by 1 and to trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. The cs.exe does de-serialize (crack) the user provided data in the _fInArgs parameter, if the parameter _ApiName is set. During this de-serialization to a class KOSValue object, the function obj_ref_cracker can be called. This function tries to create a new class KOSValue object with an unknown class ID of 3,” the advisory says.
“As the class ID is unknown the function returns an object of type KOSValueBaseClass instead of KOSObjRefClass, but the value of the class_ptr attribute of the new class KOSValue object is controlled by the attacker. This new object can then be used to increase/decrease arbitrary memory addresses and call methods of its vftable via the functions KOSValueBaseClass::AddReference and KOSValueBaseClass::ReleaseReference.”
The second vulnerability is in the Java frontend of the Extended ECM server and can allow an attacker to bypass authentication to gain code execution.
“The QDS endpoints of the Content Server are not protected by the normal user management functionality of the Content Server, but check the value of the key REQUEST of the incoming data. Normally this parameter is set by the HTTP frontend (e.g. the CGI binary cs.exe or Java application servlet) to llweb,” the SEC Consult advisory says.
“There is a bug in the Java application server, found in %OT_BASE%/application/cs.war, which allows an attacker to actually set the value of the key REQUEST to an arbitrary value and bypass the authorization checks. Most of the endpoints cannot be called, because they require specific data types of the incoming data, which can not be controlled by the attacker. Only strings are supported. But a few endpoints can be called which allow an attacker to create files or execute arbitrary code on the server.”
In addition to these two flaws, version 22.4 also includes fixes for five other vulnerabilities that are less serious. One of those bugs could enable an authenticated attacker to execute code.