Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

EEYE: Computer Associates License Manager Remote Vulnerabilities

from [Karl Lynn] Network Security [Permanent Link]
Subject: EEYE: Computer Associates License Manager Remote Vulnerabilities
Date: Wed, 2 Mar 2005 14:17:11 -0800 
Computer Associates License Manager Remote Vulnerabilities

Release Date:
03/02/2005

Severity:
High (Remote Code Execution)

Vendor:
Computer Associates

Software Affected:
The vulnerability exists if the CA License package version on the system
is between v1.53 and v1.61.8.
This package is included in almost all Computer Associates products.

Affected Platforms:
AIX 
DEC 
HP-UX 
Linux Intel 
Linux s/390 
Solaris 
Windows 
Apple Mac

Overview:
The Computer Associates License Management software is installed by
default with almost all of Computer Associates products. The Licensing
software allows for the remote management and tracking of software
licenses.  eEye Digital Security has discovered multiple stack-based
vulnerabilities within the licensing component that processes incoming
network requests. The licensing protocol is text-based, and all of the
vulnerabilities arise due to incorrect handling of the incoming text
strings. Successful exploitation of these vulnerabilities will allow a
remote attacker to reliably execute code within the SYSTEM context.

Technical Description:
The vulnerabilities exist within the "LIC98RMT.EXE" component. This
executable listens on TCP ports 10203 and 10204. 
The license manager accepts the following remote commands:

LOG1 *
GETOLF 
GETCONFIG *
PUTOLF *
GCR *
GBR *
OLFCONFIRM *
GETSTATE
GETBACKUP *
GETLOG *
NEWOLF *
GETLOGD
GETSERVER *
exit

Each of the commands marked with an asterisk contain insecure calls,
which can lead to exploitable conditions. These insecure calls include
tokenizing functions where the functions run out of bounds of the static
buffer, sscanf calls with no width specifiers, inline string copies, and
multiple uses of sprintf with no bounds checking performed.  For the
license manager to successfully process the data within a request, all
that is required after a command is the terminating ASCII string "<EOM>"
(minus the quotes).  Each command takes a variety of parameters, and
most commands issue calls to insecure functions that can trigger
exploitable conditions.  The simplest vulnerability to trigger, and the
most prevalent, lies within the routine that logs status and error
messages to the license communications log file. This logging routine
contains numerous insecure function calls, particularly a call to
vsprintf where user-defined data is copied into a fixed stack buffer.
The vulnerable logging function can be triggered in a multitude of ways;
the easiest is to simply issue an invalid request:

x [user buffer] <EOM>

The above request will trigger one of the many by-the-book stack based
buffer overflows that are riddled throughout this software.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink - End-Point Vulnerability Prevention - protects from this
vulnerability.

Vendor Status:
Computer Associates have released patches for these issues. The patches
are available at:
http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#a
lp

Credit:
Discovery: Barnaby Jack

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html

Greetings:
The lads from down-under.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • EEYE: Computer Associates License Manager Remote Vulnerabilities, Karl Lynn <=
Previous by Date:  License Patches Are Now Available To Address Buffer Overflows, Williams, James K
Next by Date:  Re: Hidden Applications and rootkits for Windows, Wayne - diamondcs.com.au
Previous by Thread:  License Patches Are Now Available To Address Buffer Overflows, Williams, James K
Next by Thread:  Re: Hidden Applications and rootkits for Windows, Wayne - diamondcs.com.au
Indexes:  [Date] [Thread] [Top] [All Lists]