EEYE: Computer Associates License Manager Remote Vulnerabilities

From: Karl Lynn (klynn_at_EEYE.COM)
Date: 03/02/05

  • Next message: Wayne - diamondcs.com.au: "Re: Hidden Applications and rootkits for Windows"
    Date:         Wed, 2 Mar 2005 14:17:11 -0800
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Computer Associates License Manager Remote Vulnerabilities

    Release Date:
    03/02/2005

    Severity:
    High (Remote Code Execution)

    Vendor:
    Computer Associates

    Software Affected:
    The vulnerability exists if the CA License package version on the system
    is between v1.53 and v1.61.8.
    This package is included in almost all Computer Associates products.

    Affected Platforms:
    AIX
    DEC
    HP-UX
    Linux Intel
    Linux s/390
    Solaris
    Windows
    Apple Mac

    Overview:
    The Computer Associates License Management software is installed by
    default with almost all of Computer Associates products. The Licensing
    software allows for the remote management and tracking of software
    licenses. eEye Digital Security has discovered multiple stack-based
    vulnerabilities within the licensing component that processes incoming
    network requests. The licensing protocol is text-based, and all of the
    vulnerabilities arise due to incorrect handling of the incoming text
    strings. Successful exploitation of these vulnerabilities will allow a
    remote attacker to reliably execute code within the SYSTEM context.

    Technical Description:
    The vulnerabilities exist within the "LIC98RMT.EXE" component. This
    executable listens on TCP ports 10203 and 10204.
    The license manager accepts the following remote commands:

    LOG1 *
    GETOLF
    GETCONFIG *
    PUTOLF *
    GCR *
    GBR *
    OLFCONFIRM *
    GETSTATE
    GETBACKUP *
    GETLOG *
    NEWOLF *
    GETLOGD
    GETSERVER *
    exit

    Each of the commands marked with an asterisk contain insecure calls,
    which can lead to exploitable conditions. These insecure calls include
    tokenizing functions where the functions run out of bounds of the static
    buffer, sscanf calls with no width specifiers, inline string copies, and
    multiple uses of sprintf with no bounds checking performed. For the
    license manager to successfully process the data within a request, all
    that is required after a command is the terminating ASCII string "<EOM>"
    (minus the quotes). Each command takes a variety of parameters, and
    most commands issue calls to insecure functions that can trigger
    exploitable conditions. The simplest vulnerability to trigger, and the
    most prevalent, lies within the routine that logs status and error
    messages to the license communications log file. This logging routine
    contains numerous insecure function calls, particularly a call to
    vsprintf where user-defined data is copied into a fixed stack buffer.
    The vulnerable logging function can be triggered in a multitude of ways;
    the easiest is to simply issue an invalid request:

    x [user buffer] <EOM>

    The above request will trigger one of the many by-the-book stack based
    buffer overflows that are riddled throughout this software.

    Protection:
    Retina Network Security Scanner has been updated to identify this
    vulnerability.
    Blink - End-Point Vulnerability Prevention - protects from this
    vulnerability.

    Vendor Status:
    Computer Associates have released patches for these issues. The patches
    are available at:
    http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#a
    lp

    Credit:
    Discovery: Barnaby Jack

    Related Links:
    Retina Network Security Scanner - Free 15 Day Trial
    http://www.eeye.com/html/Products/Retina/index.html

    Greetings:
    The lads from down-under.

    Copyright (c) 1998-2004 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express
    consent of eEye. If you wish to reprint the whole or any part of this
    alert in any other medium excluding electronic medium, please e-mail
    alert@eEye.com for permission.

    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There
    are NO warranties with regard to this information. In no event shall the
    author be liable for any damages whatsoever arising out of or in
    connection with the use or spread of this information. Any use of this
    information is at the user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    info@eEye.com

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Wayne - diamondcs.com.au: "Re: Hidden Applications and rootkits for Windows"

    Relevant Pages