CVE-2022-43999

Vulnerability

An issue exists in BACKCLICK Professional 5.9.63 (On-Premises) where the CORBA implementation repository (IMR) service is exposed on port 65501 without authentication [1][2]. The initial object reference (IOR) required to address the service is predictable, enabling an attacker to interact with the service. The IMR service allows dynamic activation of additional servers, and an arbitrary system command can be specified for the new server instance [1]. This vulnerability is classified as CWE-306: Missing Authentication for Critical Function [1].

Exploitation

An attacker with network access to the exposed CORBA IMR service on port 65501 can exploit this vulnerability without any prior authentication [1]. Using a CORBA client library like JacORB, the attacker crafts a request to register and start a new server instance, specifying the desired system command to execute on the server [1]. The proof of concept provided demonstrates the use of Java code with the JacORB client library to invoke the IMR service for command execution [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary system commands on the server [1][2]. This can lead to full compromise of the server, including arbitrary code execution, data exfiltration, and potential lateral movement within the network [2]. The impact is high due to the lack of authentication and the ability to run commands with the privileges of the BACKCLICK server process.

Mitigation

As of the public disclosure date (2022-11-14), the solution status was unknown, and no official patch or workaround had been provided by the manufacturer [1]. The SySS advisory notes that details on remediation by the manufacturer are not yet available [2]. Users should monitor for updates from BACKCLICK GmbH and consider network-level controls, such as restricting access to port 65501 from untrusted networks, until a patch is released.