A critical vulnerability has been discovered in the RDPData.dll file, which exposes the /irmdata/api/common endpoint that handles session IDs and several other features. This vulnerability, assigned CVE-2023-39423, can be exploited by malicious actors to leak the sessions table, obtain valid sessions, and impersonate currently logged-in users. In this post, we will discuss the details of this vulnerability, including the affected versions, potential impact, exploit process, and mitigation strategies.

Affected Versions

The details of the CVE-2023-39423 vulnerability can be found on the official CVE database here. According to the information provided, this vulnerability affects versions x.x.x through x.x.x of the RDPData.dll file.

Impact

The impact of CVE-2023-39423 is severe, as it allows an attacker to gain unauthorized access, steal sensitive data, and even impersonate legitimate users in the system. By exploiting this vulnerability, an attacker can also gain access to other features and functionalities exposed by the /irmdata/api/common endpoint, thereby potentially causing further damage to the affected system.

Exploit Details

The core of the CVE-2023-39423 vulnerability lies in the use of the UNION SQL operator by the /irmdata/api/common endpoint in the RDPData.dll file. This operator makes it possible for an attacker to leak the sessions table, which contains information about valid and current sessions.

To exploit this vulnerability, an attacker can use a specially crafted SQL query with the UNION operator to combine the results from the sessions table with another table such as the users' table. Here's a code snippet demonstrating this:

SELECT sessions_data.*, users_data.*
FROM sessions_data, users_data
WHERE sessions_data.session_id = users_data.session_id
UNION ALL
SELECT sessions.*
FROM sessions;

By executing this query, an attacker can obtain not only the information about the current sessions but also the user data associated with those sessions. This allows the attacker to impersonate a currently logged-in user and gain unauthorized access to the system.

Mitigation Strategies

To mitigate the risks associated with CVE-2023-39423, users and administrators should apply the following strategies:

1. Update RDPData.dll immediately: The first and most important step is to update the RDPData.dll file to the latest version available from the vendor or the relevant software repository to ensure that the vulnerability has been patched.

2. Evaluate permissions and access controls: Review the permissions and access controls in place to ensure that only authorized users can access the /irmdata/api/common endpoint and any related data sources or systems.

3. Enable monitoring and logging: Implement continuous monitoring and logging of the /irmdata/api/common endpoint and related data sources to detect and respond to potential unauthorized activities.

4. Educate and train employees: Raise awareness of this vulnerability among employees and train them on the importance of following security best practices, such as maintaining strong passwords and being cautious about sharing sensitive information.

Conclusion

CVE-2023-39423 is a critical vulnerability in the RDPData.dll file that can lead to session token leakage, unauthorized access, and user impersonation by exploiting the UNION SQL operator. By applying the mitigation strategies mentioned above and ensuring that the RDPData.dll file is updated to the latest version, users can protect themselves from potential attacks exploiting this vulnerability.

Timeline

Published on: 09/07/2023 13:15:00 UTC
Last modified on: 09/12/2023 00:08:00 UTC