[NT] Buffer Overflow in SentinelLM Service

From: SecuriTeam (support_at_securiteam.com)
Date: 03/08/05

  • Next message: SecuriTeam: "[NT] Windows Server 2003 and XP SP2 LAND Vulnerability"
    To: list@securiteam.com
    Date: 8 Mar 2005 11:26:43 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Buffer Overflow in SentinelLM Service
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.safenet-inc.com/products/sentinel/lm.asp> Sentinel LM is a
    software-based license management application allowing application
    developers to implement multiple pre-built license models with a single
    software development integration effort.
    A buffer overflow in SentinelLM allows a malicious attacker to run
    arbitrary machine code on a vulnerable host.

    DETAILS

    Vulnerable Systems:
     * Sentinel License Manager version 7.2.0.2

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0353>
    CAN-2005-0353

    When sending a large amount of data to the SentinelLM service, it will
    result in a buffer overflow where the Extended Instruction Pointer (eip)
    is overwritten, allowing arbitrary code being run on the server, with the
    rights of the service. The Sentinel License Manager is vulnerable to a
    buffer overflow when sending 3000 bytes of data or more to the UDP port
    5093 where the "Lservnt" service are running resulting in the EIP being
    overwritten allowing arbitrary code execution, with the rights of the
    service, as default are "SYSTEM".

    Solution:
    Update to version 8.0 of the Sentinel License Manager at:
    <http://www.safenet-inc.com/products/sentinel/lm.asp>
    http://www.safenet-inc.com/products/sentinel/lm.asp
    Disclosure Timeline:
    *12-2004 Vulnerability discovered
    * 21-12-2004 Research completed
    * 29-12-2004 Vendor contacted
    * 30-12-2004 Vendor responds that the vulnerability are fixed in version
    8.0
    * 19-02-2005 Report sent to CERT
    * 22-02-2005 Received response from CERT: VU#108790 and CAN-2005-0353
    * 07-03-2005 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisory@cirt.dk> CIRT
    Advisory.
    The original article can be found at:
    <http://www.cirt.dk/advisories/cirt-30-advisory.pdf>
    http://www.cirt.dk/advisories/cirt-30-advisory.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Windows Server 2003 and XP SP2 LAND Vulnerability"