Industrial Application Software Canias ERP Improper Authentication Vulnerability in Login RMI Interface

A vulnerability exists in Industrial Application Software (IAS) Canias ERP version 8.03, specifically within the Login RMI Interface component. The issue arises from improper authentication caused by the manipulation of the clientVersion argument, allowing remote exploitation. When login requests are sent with empty credentials, the server responds with an incorrect password status but inadvertently leaks sensitive user information, including the full profile of an arbitrary user, such as their name, security key, session ID, and menu tree. This vulnerability is particularly concerning as the exploit is publicly available and may be actively used.

Impact

Exploitation of this vulnerability leads to unauthorized access to user profiles, including sensitive information such as security keys and session IDs, which could be misused for further unauthorized actions within the application.

Reproduction

To reproduce this vulnerability, first download the Canias ERP client JAR from the vendor's JNLP endpoint. After obtaining the JAR file, it can be executed with a Java command that includes the necessary dependencies. The vulnerability can be reproduced by sending login requests with empty credentials. The server will respond with a status indicating a wrong password, but will also leak the profile information of a random user. This process can be automated with a script that handles the JNLP fetching, RMI binding resolution, and the login request sending.