[NT] Buffer Overflow in SentinelLM Service

From: SecuriTeam (support_at_securiteam.com)
Date: 03/08/05

  • Next message: SecuriTeam: "[NT] Windows Server 2003 and XP SP2 LAND Vulnerability"
    To: list@securiteam.com
    Date: 8 Mar 2005 11:26:43 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Buffer Overflow in SentinelLM Service
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.safenet-inc.com/products/sentinel/lm.asp> Sentinel LM is a
    software-based license management application allowing application
    developers to implement multiple pre-built license models with a single
    software development integration effort.
    A buffer overflow in SentinelLM allows a malicious attacker to run
    arbitrary machine code on a vulnerable host.

    DETAILS

    Vulnerable Systems:
     * Sentinel License Manager version 7.2.0.2

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0353>
    CAN-2005-0353

    When sending a large amount of data to the SentinelLM service, it will
    result in a buffer overflow where the Extended Instruction Pointer (eip)
    is overwritten, allowing arbitrary code being run on the server, with the
    rights of the service. The Sentinel License Manager is vulnerable to a
    buffer overflow when sending 3000 bytes of data or more to the UDP port
    5093 where the "Lservnt" service are running resulting in the EIP being
    overwritten allowing arbitrary code execution, with the rights of the
    service, as default are "SYSTEM".

    Solution:
    Update to version 8.0 of the Sentinel License Manager at:
    <http://www.safenet-inc.com/products/sentinel/lm.asp>
    http://www.safenet-inc.com/products/sentinel/lm.asp
    Disclosure Timeline:
    *12-2004 Vulnerability discovered
    * 21-12-2004 Research completed
    * 29-12-2004 Vendor contacted
    * 30-12-2004 Vendor responds that the vulnerability are fixed in version
    8.0
    * 19-02-2005 Report sent to CERT
    * 22-02-2005 Received response from CERT: VU#108790 and CAN-2005-0353
    * 07-03-2005 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisory@cirt.dk> CIRT
    Advisory.
    The original article can be found at:
    <http://www.cirt.dk/advisories/cirt-30-advisory.pdf>
    http://www.cirt.dk/advisories/cirt-30-advisory.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Windows Server 2003 and XP SP2 LAND Vulnerability"

    Relevant Pages

    • [NEWS] Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability ... Thunderbird could allow an attacker to execute arbitrary code with the ...
      (Securiteam)
    • [NEWS] Adobe Acrobat And Reader AcroJS Heap Corruption Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Adobe Acrobat And Reader AcroJS Heap Corruption Vulnerability ... Adobe Reader is "a program for viewing Portable Document Format ... memory in such a way that may lead to the execution of arbitrary code. ...
      (Securiteam)
    • [UNIX] Sun Microsystems Solaris srsexec Format String Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris srsexec Format String Vulnerability ... all of the client machines being monitored and is set-uid root by default. ... attackers to execute arbitrary code with root privileges. ...
      (Securiteam)
    • [UNIX] Multiple UNIX/Linux Vendor Xpdf makeFileKey2 Stack Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Remote exploitation of a buffer overflow vulnerability in the xpdf PDF ... arbitrary code execution as the user viewing a PDF file. ...
      (Securiteam)
    • [NT] Cisco Call Manager CTLProvider Heap Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Cisco Call Manager CTLProvider Heap Overflow Vulnerability ... This can lead to arbitrary code execution. ... This will continue until heap chunks are overwritten at the users control, ...
      (Securiteam)