[VulnWatch] [HAT-SQUAD] SafeNet Sentinel LM, UDP License Manager Exploit

From: class 101 (class101_at_hat-squad.com)
Date: 03/14/05

  • Next message: Dave Aitel: "[VulnWatch] LLSSRV Clarifications [Immunity]"
    To: "Full-Disclosure" <Full-Disclosure@lists.grok.org.uk>, <vulnwatch@vulnwatch.org>
    Date: Mon, 14 Mar 2005 14:36:32 +0100
    
    

    Application overview:

                Sentinel LM is a software-based license management application
    allowing application developers to implement multiple pre-built license
    models with a single software development integration effort. Developers can
    sell or deliver multiple license types simply by changing the license file
    associated with the application sold, reducing development time and
    facilitating software management of a single code base per release.

    Advisory overview:

                Dennis Rand of www.cirt.dk is to credit of the vulnerability
    discovery.

    Exploit overview:

                class101 of www.hat-squad.com is to credit of the poc exploit.

    Poc overview:

               the full poc can be downloaded at www.class101.org or
    www.hat-squad.com or attached to this mail
    for the security websites.

    /*
    SentinelLM, UDP License Service Stack Overflow

    Homepage: safenet-inc.com
    Affected version: 7.*
    Patched version: 8.0
    Link: safenet-inc.com/products/sentinel/lm.asp
    Date: 09 March 2005
    Advisory: securitytracker.com/alerts/2005/Mar/1013385.html

    Application Risk: High
    Internet Risk: Medium (UDP)

    Dicovery Credits: Dennis Rand (CIRT.DK)
    Exploit Credits : class101

    Hole History:

                    07-3-2005: BOF flaw published by Dennis Rand of CIRT.DK
                    09-3-2005: hat-squad's exploit done
                    13-3-2005: hat-squad's exploit released

    Notes:

          -the exploit targets 5093/UDP
          -no bad chars detected
          -Unlike it is said in the CIRT.DK advisory, you shouldn't submit
    3000bytes of data, but indeed, the overflow is occuring at around 3900
    bytes. SentinelLM will proceed the first 1035bytes of your buffer and will
    repeat those until the override of the stack.
    Conclusion , you have to be good with maths (nor to control our friend olly
    & calc :>) to overwrite the right place in your buffer[1035] to finally
    reach eip when your buffer "autogrows" at around buffer[3940].
          -sending the buffer twice because the 1st attempt can fail sometimes.
          -using a nice popopret outside of a loaded module for SP2and2k3
    targets.
    this offset has been tested on SP2 and 2003 ENGLISH (maybe langage-dependent
    dunno..)
          -to note so that target3 (SP2/2k3) can work sometimes as target2
    (SP1a/1/0) but it is not stable this is why I use one of the two I have
    posted at fulldisclosure (0x71ABE325/SP1a/1/0). This last is stable for the
    3 sp (ENGLISH!).

    Compilation:

                      101_SentLM.cpp ......... Win32 (MSVC,cygwin)
                      101_SentLM.c ........... Linux (FreeBSD,etc..)

     *Another fine working code, published as a patch warning or for an
    EXPERIMENTAL use!*

    Greet:

              *GUILLERMITO* "the terrorist...sigh..:("

                    NIMA MAJIDI
                    BEHRANG FOULADI
                    PEJMAN
                    HAMID
                    HAT-SQUAD.COM
                    metasploit.com
                    A^C^E of addict3d.org
                    str0ke of milw0rm.com
                    and my homy CLASS101.ORG :>

    */

    -------------------------------------------------------------
    class101
    Jr. Researcher
    Hat-Squad.com
    -------------------------------------------------------------


  • Next message: Dave Aitel: "[VulnWatch] LLSSRV Clarifications [Immunity]"

    Relevant Pages

    • [HAT-SQUAD] SafeNet Sentinel LM, UDP License Manager Exploit
      ... allowing application developers to implement multiple pre-built license ... models with a single software development integration effort. ... sell or deliver multiple license types simply by changing the license file ...
      (Bugtraq)
    • [VulnWatch] [HAT-SQUAD] SafeNet Sentinel LM, UDP License Manager Exploit
      ... allowing application developers to implement multiple pre-built license ... models with a single software development integration effort. ... sell or deliver multiple license types simply by changing the license file ...
      (VulnWatch)
    • Re: Wasting our Freedom
      ... Please take a moment to understand the Linux development process. ... removed the GPL license and dedicated the work to public domain or put ... You are so cleanly isolating and cutting away of a group of developers. ... between GPL and BSD developers. ...
      (Linux-Kernel)
    • Re: Wasting our Freedom
      ... removed the GPL license and dedicated the work to public domain or put ... not accepted into the Linux Kernel, so this is *NOT* the place to send ... You are so cleanly isolating and cutting away of a group of developers. ... It's known that the patches are bad, ...
      (Linux-Kernel)
    • Re: [PHP] Requested PHP apps / sites
      ... Something open and non-contractual in the spirit ... existing user-management framework (allowed by license) or write your ... So instead of free code from me or other developers, ... Except I was hoping that the end users of the app or site would be the think tank, ...
      (php.general)