To achieve remote code execution, this vulnerability can be used to write malware to either: By default, RLM's web server running on port 5054, does not require authentication. PoC: RCE with Arbitrary File WriteĪttackers can use the RLM web interface to read and write data to any file on disk as long as rlm.exe has access to it. Exploiting this vulnerability in the web interface provided by rlm.exe, can result in information leakage or remote code execution via upload of malware.Īn XSS (reflected) vulnerability also exists in the license editor and is described later in the article. Unfortunately, the RLM web app running on port 5054 allows attackers to specify an arbitrary license file on the server to read and modify. "RLM provides all the features you need and expect from an enterprise-class license manager, yet it is familiar and easy to administer, either on premises or in the cloud." In the interest of responsible disclosure, the details are as follows: Regrettably, despite my best efforts, the vendor has refused to issue patches as they do not believe these findings to be vulnerabilities (see vendor response below). After a bit of poking around, I was able to identify a critical vulnerability which allowed me to execute code on the server, eventually leading to full domain compromise. During a recent penetration testing engagement, I came across a particularly interesting web application called RLM, running on the non-standard port 5054, which naturally caught my eye.
0 Comments
Leave a Reply. |