Flexera FlexNet Publisher, a stack-based buffer overflow vulnerability analysis CVE-2 0 1 5-8 2 7 7-a vulnerability warning-the black bar safety net

2016-03-06T00:00:00
ID MYHACK58:62201672261
Type myhack58
Reporter 佚名
Modified 2016-03-06T00:00:00

Description

Recently, the security personnel in Flexera FlexNet Publisher(License Manager)discovered a stack-based buffer overflow vulnerabilities CVE ID: CVE-2 0 1 5-8 2 7 7, The CNNVD number: CNNVD-2 0 1 6 0 2-4 4 1, and can lead to remote code execution, and will be based on different software products change. FlexNetPublisher is the application of a wide range of License management tools, software vendors can lock The machine's hard disk number, NIC number, use date, etc., in order to protect software intellectual property. Intel, Cisco, Adobe, HP, RSA, Siemens, etc. are the FlexNet Publisher users. Vulnerability details The vulnerability exists in the lmgrd. exe, and many manufacturers are using FlexNetPublisher create a vendor binary files, the main reason is the program to use a custom strncpy function by the length of the copied string, with the traditional strncpy function similar to the custom functions contained in a source buffer, destination buffer and length of the three parameters. However, this vulnerability to cause the strncpy function ignores the length parameter, so the program automatically converts it to the strcpy function. By tracking the strncpy function of the usage, found its extensive use by the FlexNet Publisher supports the lmgrd and the vendor binaries. When the developer default maximum length has been limited, the function will be very dangerous. The function of the pseudocode as shown below. ! Figure a strncpy function pseudo-code Through the depth analysis, the researchers found that strncpy functions are used in nearly 1 0 0 bit position, most of the message for processing analytic functions in user-supplied data. To determine the vulnerability of availability, you should first find out what is compiled into the application program memory protection mechanisms of the position. Some visual analysis can display the stack cookie usage, and running Corelanmona script, whereby the analysis, the lmgrd binary files use ASLR, AND DEP and SafeSEH security mechanism is to be compiled. ! Figure II lmgrd binary file compiled The next step is also the most complex step, is to follow the available difficulty level for the use of the strncpy function of the position of the ranking. This means that, not only to consider the purpose of the buffer is located on the heap or on the stack, and determine the stack cookie is used in the current stack frame. After a series of search, the researchers locked eyes for resolve 0×1 0 7 message type of the function. This function uses special in that the stack frame does not compile the stack cookie, if the purpose of this function the buffer size is only 4 bytes, then the program might be the default for an address. ! Figure III is used to resolve 0×1 0 7 message type of the function By means of specially crafted packets using the message parsing function can indeed trigger a stack-based buffer overflow vulnerability. But there is also a requirement is that the overflow not overflow into function parameters, or subsequent to the call of the memcpy function cannot throw an exception, otherwise it can not control the execution. Fortunately, the researchers successfully use ROP method to cover the return pointer, the return pointer in the stack location is moved to the input buffer. ! Figure Four-the stack overflow before and after comparison The analysis is carried out to this, there are DEP and ASLR, two memory protection mechanisms need to be bypassed. To bypass the DEP method is adopted in the current binary directory using ROP to re-allocate an executable stack. But the use of this method requires disclosure binary file or load a library memory address, so need to find another vulnerability to get the memory address. The real situation is that the researchers did not find the access to the memory address of the method. But during the study found that the program actually has two binary file as Flexera Publisher service is running, 一个名为lmgrd.exe, another for the supplier of the software name for example, vendor.exe in. lmgrd file can manage vendor files, and may reboot the crash of the vendor file. Researchers can use the method combined brute force method to get the loaded library's base address. By providing the vendor service sends a message to restart the application service, and then to guess the base address. Why to use a brute-force method? Primarily the researchers found that loading the library base address only 1 2 bits will change, that is to say the base is only 4 0 9 6 possible. In the POC, the researchers of the above analysis of all the content bound to a python script. In order to verify the exploitability of the vulnerability ahead of time, the researchers used shellcode connect-back shell, and set up a separate thread to notify the main thread to create the connection time. In this process one thing to note is, to timely stop the violence crack. The researchers used pwntools library to simplify with the Metasploit Server connected to the agent. ! Figure five using pwntools library to simplify the agent The affected version FlexNet Publisher (License Manager) 11.13.1.0 and previous versions Embedded FlexNet Publisher (License Manager)products Fix the situation Flexera has fixed the vulnerability, the user can from its official website, get the patch and follow its guidance and timely upgrade software. For network protection personnel, you can determine the lmgrd. exe in the run position, and then determine whether the repair, if you are not sure whether the patch applies, you can contact the software manufacturers. At the same time also want to ensure that the service Desk to deal with customer complaints. Summary People for the vulnerability is more concerned with its wide range of effects. The vulnerability itself exists in the Flexera software, but it affects many embedded FlexNet Publisher with other products, the manufacturer must according to the Flexera patch research applicable to the product of the corresponding patch, so some of the products the user may have to wait a period of time to obtain a fix version.