Headline
CVE-2023-49312: Vulnerabilities — Precision Bridge
Precision Bridge PrecisionBridge.exe (aka the thick client) before 7.3.21 allows an integrity violation in which the same license key is used on multiple systems, via vectors involving a Process Hacker memory dump, error message inspection, and modification of a MAC address.
Known Vulernerability
Release: 7.3.8
Fixed in Release: 7.3.21 Security Patch
Description: Bypassing Precision Bridge License key validation mechanism
Reported and documented by Viraj Mota
Application Name: Precision Bridge (Thick Client)
Application Version: 7.3.8
Severity: High
Business Impact: Critical
Description:
A security vulnerability has been identified that allows an unauthorized party to circumvent the license key validation mechanism. This exploit enables the attacker to employ the same license key on multiple systems, thereby potentially compromising the integrity of the licensing system and causing licensing violations. An attacker able to chain the vulnerabilities of disclosing information of Victim MAC ID to bypassing MAC ID validation.
Note:
The license key was applied for activation on the specific server (MAC ID: 168C47*****), and License key is mapped with Victim MAC ID i.e.:168C47******.
Let’s assume, we will call Attacker server as A & Victim server as B.
Steps to reproduce:
Step 1: Notice that attacker able to extract the license key from memory raw data using Process Hacker tool.
Javaw.exe -> properties -> Memory -> Strings -> Filter
Note: Attacker will use above disclosed license key for further attack chain.
Step 2: Notice the error when Attacker try to insert the “B” system license key to “A” system.