Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, CVE-2023-44031)

["Rahim, Mohaiman via Fulldisclosure" <fulldisclosure () seclists org>]

Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, CVE-2023-44031)

Credit: Mohaiman Rahim

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

# Product:  RLM 15.1
# Vendor:   Reprise Software
# CVE ID:   CVE-2023-43183
# Vulnerability Title: Incorrect Access Control (leading to PrivEsc)
# Severity:  High
# Author(s): Mohaiman Rahim
# Date:     2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control vulnerability which allows low level users, 
such as read-only users, to arbitrarily change the password of an admin and hijack their account.

Vulnerability PoC:

This vulnerability can be demonstrated by modifying the "user" POST parameter at 
http://HOST:5054/change_password_process with the username of a target user (such as an Admin account).
When executed this will result in the password of the targeted user being changed and the account therefore being 
compromised.




////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

# Product:  RLM 15.1
# Vendor:   Reprise Software
# CVE ID:   CVE-2023-44031
# Vulnerability Title: Incorrect Access Control (leading to arbitrary file write)
# Severity:  High
# Author(s): Mohaiman Rahim
# Date:     2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control vulnerability which allows a user to perform 
privileged web application functions, such as a function that generates system information.
This vulnerability can be exploited to be able to change the path of where the diagnostics file should be saved via a 
crafted HTTP POST request.
This can allow an attacker to save the diagnostics file, containing system information, in insecure locations.

Vulnerability PoC:

This vulnerability can be demonstrated by modifying the "outputfile" POST parameter at 
http://HOST:5054/diagnostics_doit to an insecure path accessible by local users such as "C:\temp".

Deloitte Disclaimer: Deloitte refers to a Deloitte member firm, one of its related entities, or Deloitte Touche 
Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a separate legal entity and a member of DTTL. DTTL does not 
provide services to clients. Please see www.deloitte.com/about to learn more. Deloitte Statsautoriseret 
Revisionspartnerselskab, CVR-nr. 33 96 35 56 This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you 
should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or 
the taking of any action based on it, is strictly prohibited.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/