Advisories
Computer Associates License Manager Remote Vulnerabilities
Release Date:
March 2, 2005
Date Reported:
January 5, 2005
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Vendor:
Computer Associates
Systems Affected:
The vulnerability exists if the CA License package version on the system is between v1.53 and v1.61.8. This package is included in almost all Computer Associates products.
Affected Platforms:
AIX
DEC
HP-UX
Linux Intel
Linux s/390
Solaris
Windows
Apple Mac
Overview:
eEye Digital Security has discovered multiple vulnerabilities in the Computer Associates License Management software that is installed by default with almost all of Computer Associates products. The Licensing software allows for the remote management and tracking of software licenses. eEye Digital Security has discovered multiple stack-based vulnerabilities within the licensing component that processes incoming network requests. The licensing protocol is text-based, and all of the vulnerabilities arise due to incorrect handling of the incoming text strings. Successful exploitation of these vulnerabilities will allow a remote attacker to reliably execute code within the SYSTEM context.
Technical Details:
The vulnerabilities exist within the "LIC98RMT.EXE" component. This executable listens on TCP ports 10203 and 10204. The license manager accepts the following remote commands:
LOG1 *
GETOLF
GETCONFIG *
PUTOLF *
GCR *
GBR *
OLFCONFIRM *
GETSTATE
GETBACKUP *
GETLOG *
NEWOLF *
GETLOGD
GETSERVER *
exit
Each of the commands marked with an asterisk contain insecure calls, which can lead to exploitable conditions. These insecure calls include tokenizing functions where the functions run out of bounds of the static buffer, sscanf calls with no width specifiers, inline string copies, and multiple uses of sprintf with no bounds checking performed. For the license manager to successfully process the data within a request, all that is required after a command is the terminating ASCII string "<EOM>" (minus the quotes). Each command takes a variety of parameters, and most commands issue calls to insecure functions that can trigger exploitable conditions. The simplest vulnerability to trigger, and the most prevalent, lies within the routine that logs status and error messages to the license communications log file. This logging routine contains numerous insecure function calls, particularly a call to vsprintf where user-defined data is copied into a fixed stack buffer. The vulnerable logging function can be triggered in a multitude of ways; the easiest is to simply issue an invalid request:
x [user buffer] <EOM>
The above request will trigger one of the many by-the-book stack based buffer overflows that are riddled throughout this software.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - protects from this vulnerability.
Vendor Status:
Computer Associates have released patches for these issues. The patches are available at:
http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp
Credit:
Discovery: Barnaby Jack
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Greetings:
The lads from down-under.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
March 2, 2005
Date Reported:
January 5, 2005
Patch Development Time (In Days):
 |
|
|
|
| 56 |
Severity:
High (Remote Code Execution)
Vendor:
Computer Associates
Systems Affected:
The vulnerability exists if the CA License package version on the system is between v1.53 and v1.61.8. This package is included in almost all Computer Associates products.
Affected Platforms:
Overview:
eEye Digital Security has discovered multiple vulnerabilities in the Computer Associates License Management software that is installed by default with almost all of Computer Associates products. The Licensing software allows for the remote management and tracking of software licenses. eEye Digital Security has discovered multiple stack-based vulnerabilities within the licensing component that processes incoming network requests. The licensing protocol is text-based, and all of the vulnerabilities arise due to incorrect handling of the incoming text strings. Successful exploitation of these vulnerabilities will allow a remote attacker to reliably execute code within the SYSTEM context.
Technical Details:
The vulnerabilities exist within the "LIC98RMT.EXE" component. This executable listens on TCP ports 10203 and 10204. The license manager accepts the following remote commands:
LOG1 *
GETOLF
GETCONFIG *
PUTOLF *
GCR *
GBR *
OLFCONFIRM *
GETSTATE
GETBACKUP *
GETLOG *
NEWOLF *
GETLOGD
GETSERVER *
exit
Each of the commands marked with an asterisk contain insecure calls, which can lead to exploitable conditions. These insecure calls include tokenizing functions where the functions run out of bounds of the static buffer, sscanf calls with no width specifiers, inline string copies, and multiple uses of sprintf with no bounds checking performed. For the license manager to successfully process the data within a request, all that is required after a command is the terminating ASCII string "<EOM>" (minus the quotes). Each command takes a variety of parameters, and most commands issue calls to insecure functions that can trigger exploitable conditions. The simplest vulnerability to trigger, and the most prevalent, lies within the routine that logs status and error messages to the license communications log file. This logging routine contains numerous insecure function calls, particularly a call to vsprintf where user-defined data is copied into a fixed stack buffer. The vulnerable logging function can be triggered in a multitude of ways; the easiest is to simply issue an invalid request:
x [user buffer] <EOM>
The above request will trigger one of the many by-the-book stack based buffer overflows that are riddled throughout this software.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - protects from this vulnerability.
Vendor Status:
Computer Associates have released patches for these issues. The patches are available at:
http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp
Credit:
Discovery: Barnaby Jack
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Greetings:
The lads from down-under.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
