Advisory Details

September 2nd, 2015

(0Day) Borland AccuRev Reprise License Management Server Path Traversal Remote Code Execution Vulnerability

ZDI-15-415
ZDI-CAN-3030

CVE ID
CVSS SCORE 6.8, AV:N/AC:M/Au:N/C:P/I:P/A:P
AFFECTED VENDORS Borland
AFFECTED PRODUCTS AccuRev
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['20178']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Borland AccuRev. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the rlmswitch_process functionality of the Reprise License Manager service. The issue lies in the handling of the file parameter which can result in overwriting arbitrary files. When used along with the e3dit_opt_process functionality of the service, partially controlled data can be written to arbitrary files. An attacker could leverage this vulnerability to execute code under the context of logged-in user.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

07/09/2015 - ZDI emailed vendor and requested contact
07/28/2015 - ZDI emailed vendor and requested contact
08/13/2015 - ZDI emailed vendor and requested contact
08/21/2015 - ZDI emailed vendor and requested contact
08/24/2015 - A vendor representative replied and attempted to direct ZDI to a sales rep
08/24/2015 - ZDI replied again that we needed to report a security bug
08/24/2015 - The vendor asked for a serial number or account code to open a support case
08/24/2015 - ZDI replied that we "don't have that, no. But if you have a contact (and he or she should have a PGP key for encryption), then I am very happy to provide the report."
08/24/2015 - The vendor replied that they could not find a license to open a support case
08/24/2015 - ZDI replied that "We are a software security research organization... Our concern is not for ourselves - we want to report a flaw in your software that is leaving potentially all of the customers of this product vulnerable to exploitation."
08/25/2015 - The vendor replied, "Thank you, I appreciate the clarification. I'm sorry but this is something that would be worked on internally. "
08/31/2015 - ZDI notified the vendor of intent to publish as 0-day

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.


DISCLOSURE TIMELINE
  • 2015-05-05 - Vulnerability reported to vendor
  • 2015-09-02 - Coordinated public release of advisory
CREDIT rgod
BACK TO ADVISORIES