lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <PR3PR85MB02697849E650123ACF908BC1A8742@PR3PR85MB0269.NAMPRD85.PROD.OUTLOOK.COM>
Date: Tue, 23 Jan 2024 15:57:04 +0000
From: "Rahim, Mohaiman via Fulldisclosure" <fulldisclosure@...lists.org>
To: Harry Sintonen via Fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Multiple Vulnerabilities in Reprise License Manager 15.1
 (CVE-2023-43183, CVE-2023-44031)

Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, CVE-2023-44031)

Credit: Mohaiman Rahim

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

# Product:  RLM 15.1
# Vendor:   Reprise Software
# CVE ID:   CVE-2023-43183
# Vulnerability Title: Incorrect Access Control (leading to PrivEsc)
# Severity:  High
# Author(s): Mohaiman Rahim
# Date:     2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control vulnerability which allows low level users, such as read-only users, to arbitrarily change the password of an admin and hijack their account.

Vulnerability PoC:

This vulnerability can be demonstrated by modifying the "user" POST parameter at http://HOST:5054/change_password_process with the username of a target user (such as an Admin account).
When executed this will result in the password of the targeted user being changed and the account therefore being compromised.




////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

# Product:  RLM 15.1
# Vendor:   Reprise Software
# CVE ID:   CVE-2023-44031
# Vulnerability Title: Incorrect Access Control (leading to arbitrary file write)
# Severity:  High
# Author(s): Mohaiman Rahim
# Date:     2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control vulnerability which allows a user to perform privileged web application functions, such as a function that generates system information.
This vulnerability can be exploited to be able to change the path of where the diagnostics file should be saved via a crafted HTTP POST request.
This can allow an attacker to save the diagnostics file, containing system information, in insecure locations.

Vulnerability PoC:

This vulnerability can be demonstrated by modifying the "outputfile" POST parameter at http://HOST:5054/diagnostics_doit to an insecure path accessible by local users such as "C:\temp".

Deloitte Disclaimer: Deloitte refers to a Deloitte member firm, one of its related entities, or Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a separate legal entity and a member of DTTL. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more. Deloitte Statsautoriseret Revisionspartnerselskab, CVR-nr. 33 96 35 56 This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ