Multiple Vulnerabilities in Reprise License Manager 15.1 (CVE-2023-43183, CVE-2023-44031)

Credit: Mohaiman Rahim

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

# Product:  RLM 15.1
# Vendor:   Reprise Software
# CVE ID:   CVE-2023-43183
# Vulnerability Title: Incorrect Access Control (leading to PrivEsc)
# Severity:  High
# Author(s): Mohaiman Rahim
# Date:     2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control vulnerability which allows low level users, such as read-only users, to arbitrarily change the password of an admin and hijack their account.

Vulnerability PoC:

This vulnerability can be demonstrated by modifying the "user" POST parameter at http://HOST:5054/change_password_process with the username of a target user (such as an Admin account).
When executed this will result in the password of the targeted user being changed and the account therefore being compromised.




////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

# Product:  RLM 15.1
# Vendor:   Reprise Software
# CVE ID:   CVE-2023-44031
# Vulnerability Title: Incorrect Access Control (leading to arbitrary file write)
# Severity:  High
# Author(s): Mohaiman Rahim
# Date:     2024-01-14
#
#############################################################
Introduction:
Reprise License Manager 15.1 is affected by an incorrect access control vulnerability which allows a user to perform privileged web application functions, such as a function that generates system information.
This vulnerability can be exploited to be able to change the path of where the diagnostics file should be saved via a crafted HTTP POST request.
This can allow an attacker to save the diagnostics file, containing system information, in insecure locations.

Vulnerability PoC:

This vulnerability can be demonstrated by modifying the "outputfile" POST parameter at http://HOST:5054/diagnostics_doit to an insecure path accessible by local users such as "C:\temp".

Deloitte Disclaimer: Deloitte refers to a Deloitte member firm, one of its related entities, or Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a separate legal entity and a member of DTTL. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more. Deloitte Statsautoriseret Revisionspartnerselskab, CVR-nr. 33 96 35 56 This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.