BugTraq
Secunia Research: Reprise License Manager "akey" Buffer Overflow Vulnerability Jul 25 2016 04:27PM
Secunia Research (remove-vuln secunia com)
======================================================================

Secunia Research 25/07/2016

Reprise License Manager "akey" Buffer Overflow Vulnerability

======================================================================

Table of Contents

Affected Software....................................................1

Severity.............................................................2

Description of Vulnerabilities.......................................3

Solution.............................................................4

Time Table...........................................................5

Credits..............................................................6

References...........................................................7

About Secunia........................................................8

Verification.........................................................9

======================================================================

1) Affected Software

* Reprise License Manager versions 12.0BL2, 12.1BL2, and 12.1BL3.

Other versions may also be affected.

======================================================================

2) Severity

Rating: Moderately critical

Impact: System compromise

Where: From local network

======================================================================

3) Description of Vulnerabilities

Secunia Research have discovered a vulnerability in Reprise

License Manager (RLM), which can be exploited by malicious people to

compromise a vulnerable system.

The vulnerability is caused due to a boundary error when handling the

"akey" POST parameter related to /goform/activate_doit, which can be

exploited to cause a stack-based buffer overflow via a specially

crafted HTTP request.

Successful exploitation of the vulnerability may allow execution of

arbitrary code.

======================================================================

4) Solution

No official solution is currently available.

======================================================================

5) Time Table

01/06/2016 - Initial contact with vendor.

01/06/2016 - Vendor responds with service ticket ID.

02/06/2016 - Details transferred.

02/06/2016 - Vendor confirms reception and informs that the issues

will be fixed in version 12.1.

28/06/2016 - Release of vendor patch.

30/06/2016 - Release of Secunia Advisory SA67000, which includes

one of the vulnerabilities that is confirmed fixed.

01/07/2016 - Contacted the vendor that vulnerability #2 is still

unpatched. An requested an ETA for a fixed release.

01/07/2016 - Vendor disagrees on the existence of the vulnerability

due to the application never to be run with elevated

privileges by design.

01/07/2016 - Replied to the vendor with detailed analysis of the

issue and clarified that as the vulnerability is

remotely exploitable, it is still exploitable even if

the application is run without elevated privileges.

03/07/2016 - Vendor requests a screenshot.

12/07/2016 - Provided the vendor with a video file.

12/07/2016 - Vendor replies that the issue is fixed for the next

release. The vendor notes that the issue is not

considered a security issue, because RLM should never be

run as a privileged user.

13/07/2016 - Clarified to the vendor that the issue is indeed seen

as a security issue and elaborated further on the

reasons. Requested fix date and set release of

the Secunia Advisory SA71200 to 22nd July 2016.

19/07/2016 - The vendor informs us that the issue will be fixed in

the time frame between now and until the end of the

year.

22/07/2016 - Release of Secunia Advisory SA71200.

25/07/2016 - Public disclosure of Research Advisory.

======================================================================

6) Credits

Discovered by Behzad Najjarpour Jabbari, Secunia Research at Flexera

Software.

======================================================================

7) References

Currently no CVE identifier is assigned.

======================================================================

8) About Secunia (now part of Flexera Software)

In September 2015, Secunia has been acquired by Flexera Software:

https://secunia.com/blog/435/

Secunia offers vulnerability management solutions to corporate

customers with verified and reliable vulnerability intelligence

relevant to their specific system configuration:

http://secunia.com/products/

Secunia also provides a publicly accessible and comprehensive advisory

database as a service to the security community and private

individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to

do active vulnerability research in order to aid improving the

security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below

to see currently vacant positions:

http://secunia.com/company/jobs/

======================================================================

9) Verification

Please verify this advisory by visiting the Secunia website:

http://secunia.com/secunia_research/2016-8/

Complete list of vulnerability reports published by Secunia Research:

http://secunia.com/secunia_research/

======================================================================

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus