Secunia Research: Reprise License Manager "akey" Buffer Overflow Vulnerability

======================================================================

                    Secunia Research 25/07/2016

    Reprise License Manager "akey" Buffer Overflow Vulnerability

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

* Reprise License Manager versions 12.0BL2, 12.1BL2, and 12.1BL3.
  Other versions may also be affected.

======================================================================
2) Severity

Rating: Moderately critical
Impact: System compromise
Where:  From local network

======================================================================
3) Description of Vulnerabilities

Secunia Research have discovered a vulnerability in Reprise
License Manager (RLM), which can be exploited by malicious people to
compromise a vulnerable system.

The vulnerability is caused due to a boundary error when handling the
"akey" POST parameter related to /goform/activate_doit, which can be
exploited to cause a stack-based buffer overflow via a specially
crafted HTTP request.

Successful exploitation of the vulnerability may allow execution of
arbitrary code.

======================================================================
4) Solution

No official solution is currently available.

======================================================================
5) Time Table

01/06/2016 - Initial contact with vendor.
01/06/2016 - Vendor responds with service ticket ID.
02/06/2016 - Details transferred.
02/06/2016 - Vendor confirms reception and informs that the issues
             will be fixed in version 12.1.
28/06/2016 - Release of vendor patch.
30/06/2016 - Release of Secunia Advisory SA67000, which includes
             one of the vulnerabilities that is confirmed fixed.
01/07/2016 - Contacted the vendor that vulnerability #2 is still
             unpatched. An requested an ETA for a fixed release.
01/07/2016 - Vendor disagrees on the existence of the vulnerability
             due to the application never to be run with elevated
             privileges by design.
01/07/2016 - Replied to the vendor with detailed analysis of the 
             issue and clarified that as the vulnerability is
             remotely exploitable, it is still exploitable even if
             the application is run without elevated privileges.
03/07/2016 - Vendor requests a screenshot.
12/07/2016 - Provided the vendor with a video file.
12/07/2016 - Vendor replies that the issue is fixed for the next
             release. The vendor notes that the issue is not
             considered a security issue, because RLM should never be
             run as a privileged user.
13/07/2016 - Clarified to the vendor that the issue is indeed seen
             as a security issue and elaborated further on the
             reasons. Requested fix date and set release of
             the Secunia Advisory SA71200 to 22nd July 2016.
19/07/2016 - The vendor informs us that the issue will be fixed in
             the time frame between now and until the end of the
             year.
22/07/2016 - Release of Secunia Advisory SA71200.
25/07/2016 - Public disclosure of Research Advisory.

======================================================================
6) Credits

Discovered by Behzad Najjarpour Jabbari, Secunia Research at Flexera
Software.

======================================================================
7) References

Currently no CVE identifier is assigned.

======================================================================
8) About Secunia (now part of Flexera Software)

In September 2015, Secunia has been acquired by Flexera Software:

https://secunia.com/blog/435/

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/products/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/company/jobs/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2016-8/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================