[NT] Buffer Overflow in SentinelLM Service
From: SecuriTeam (support_at_securiteam.com)
Date: 03/08/05
- Previous message: SecuriTeam: "[UNIX] Path Disclosure Vulnerability in phpBB"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 8 Mar 2005 11:26:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overflow in SentinelLM Service
------------------------------------------------------------------------
SUMMARY
<http://www.safenet-inc.com/products/sentinel/lm.asp> Sentinel LM is a
software-based license management application allowing application
developers to implement multiple pre-built license models with a single
software development integration effort.
A buffer overflow in SentinelLM allows a malicious attacker to run
arbitrary machine code on a vulnerable host.
DETAILS
Vulnerable Systems:
* Sentinel License Manager version 7.2.0.2
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0353>
CAN-2005-0353
When sending a large amount of data to the SentinelLM service, it will
result in a buffer overflow where the Extended Instruction Pointer (eip)
is overwritten, allowing arbitrary code being run on the server, with the
rights of the service. The Sentinel License Manager is vulnerable to a
buffer overflow when sending 3000 bytes of data or more to the UDP port
5093 where the "Lservnt" service are running resulting in the EIP being
overwritten allowing arbitrary code execution, with the rights of the
service, as default are "SYSTEM".
Solution:
Update to version 8.0 of the Sentinel License Manager at:
<http://www.safenet-inc.com/products/sentinel/lm.asp>
http://www.safenet-inc.com/products/sentinel/lm.asp
Disclosure Timeline:
*12-2004 Vulnerability discovered
* 21-12-2004 Research completed
* 29-12-2004 Vendor contacted
* 30-12-2004 Vendor responds that the vulnerability are fixed in version
8.0
* 19-02-2005 Report sent to CERT
* 22-02-2005 Received response from CERT: VU#108790 and CAN-2005-0353
* 07-03-2005 Public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisory@cirt.dk> CIRT
Advisory.
The original article can be found at:
<http://www.cirt.dk/advisories/cirt-30-advisory.pdf>
http://www.cirt.dk/advisories/cirt-30-advisory.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Path Disclosure Vulnerability in phpBB"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
