[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Secunia Research: Reprise License Manager "akey" Buffer Overflow Vulnerability



======================================================================



                    Secunia Research 25/07/2016



    Reprise License Manager "akey" Buffer Overflow Vulnerability



======================================================================

Table of Contents



Affected Software....................................................1

Severity.............................................................2

Description of Vulnerabilities.......................................3

Solution.............................................................4

Time Table...........................................................5

Credits..............................................................6

References...........................................................7

About Secunia........................................................8

Verification.........................................................9



======================================================================

1) Affected Software



* Reprise License Manager versions 12.0BL2, 12.1BL2, and 12.1BL3.

  Other versions may also be affected.



======================================================================

2) Severity



Rating: Moderately critical

Impact: System compromise

Where:  From local network



======================================================================

3) Description of Vulnerabilities



Secunia Research have discovered a vulnerability in Reprise

License Manager (RLM), which can be exploited by malicious people to

compromise a vulnerable system.



The vulnerability is caused due to a boundary error when handling the

"akey" POST parameter related to /goform/activate_doit, which can be

exploited to cause a stack-based buffer overflow via a specially

crafted HTTP request.



Successful exploitation of the vulnerability may allow execution of

arbitrary code.



======================================================================

4) Solution



No official solution is currently available.



======================================================================

5) Time Table



01/06/2016 - Initial contact with vendor.

01/06/2016 - Vendor responds with service ticket ID.

02/06/2016 - Details transferred.

02/06/2016 - Vendor confirms reception and informs that the issues

             will be fixed in version 12.1.

28/06/2016 - Release of vendor patch.

30/06/2016 - Release of Secunia Advisory SA67000, which includes

             one of the vulnerabilities that is confirmed fixed.

01/07/2016 - Contacted the vendor that vulnerability #2 is still

             unpatched. An requested an ETA for a fixed release.

01/07/2016 - Vendor disagrees on the existence of the vulnerability

             due to the application never to be run with elevated

             privileges by design.

01/07/2016 - Replied to the vendor with detailed analysis of the 

             issue and clarified that as the vulnerability is

             remotely exploitable, it is still exploitable even if

             the application is run without elevated privileges.

03/07/2016 - Vendor requests a screenshot.

12/07/2016 - Provided the vendor with a video file.

12/07/2016 - Vendor replies that the issue is fixed for the next

             release. The vendor notes that the issue is not

             considered a security issue, because RLM should never be

             run as a privileged user.

13/07/2016 - Clarified to the vendor that the issue is indeed seen

             as a security issue and elaborated further on the

             reasons. Requested fix date and set release of

             the Secunia Advisory SA71200 to 22nd July 2016.

19/07/2016 - The vendor informs us that the issue will be fixed in

             the time frame between now and until the end of the

             year.

22/07/2016 - Release of Secunia Advisory SA71200.

25/07/2016 - Public disclosure of Research Advisory.



======================================================================

6) Credits



Discovered by Behzad Najjarpour Jabbari, Secunia Research at Flexera

Software.



======================================================================

7) References



Currently no CVE identifier is assigned.



======================================================================

8) About Secunia (now part of Flexera Software)



In September 2015, Secunia has been acquired by Flexera Software:



https://secunia.com/blog/435/



Secunia offers vulnerability management solutions to corporate

customers with verified and reliable vulnerability intelligence

relevant to their specific system configuration:



http://secunia.com/products/



Secunia also provides a publicly accessible and comprehensive advisory

database as a service to the security community and private 

individuals, who are interested in or concerned about IT-security.



http://secunia.com/advisories/



Secunia believes that it is important to support the community and to

do active vulnerability research in order to aid improving the 

security and reliability of software in general:



http://secunia.com/secunia_research/



Secunia regularly hires new skilled team members. Check the URL below

to see currently vacant positions:



http://secunia.com/company/jobs/



======================================================================

9) Verification



Please verify this advisory by visiting the Secunia website:

http://secunia.com/secunia_research/2016-8/



Complete list of vulnerability reports published by Secunia Research:

http://secunia.com/secunia_research/



======================================================================