Schneider Electric FLM v2.3.1.0 / FlexNet Publisher 11.6.2 Multiple Vulnerabilities

CVE-2019-8960 - lmadmin.exe Unauthenticated Remote DoS

The communication protocol used in lmadmin.exe for command 0x2f has the following format:

struct msg
{
   int8 type;        // command 0x2f
   int8 hdr_chksum;  // over the 0x14-byte header;
                     // this field is set to 0 for chksum calculation
   be16 data_chksum; // start @ msg_len to the msg end
   be16 msg_len;     // entire msg; including msg hdr
   be16 cmd;         // extended command
   be32 id;
   be32 unk;
   ube16 unk;        
   ube16 flags?;     // 0x1 - more_fragments?
   //end of msg hdr; start of msg data
   byte data[msg_len-0x14];
}; 

After reading a message, if (msg.flags & 0x1) is set the message reading function calls itself again, presumably expecting more message (fragments?) to follow:

.text:004F34B9 140      mov     edx, [ebp+flags]
.text:004F34BF 140      and     edx, 1
.text:004F34C2 140      jz      no_more_fragments
.text:004F34C8 140      mov     eax, [ebp+arg_timeout?]
.text:004F34CB 140      push    eax
.text:004F34CC 144      lea     ecx, [ebp+sebuf]
.text:004F34D2 144      push    ecx
.text:004F34D3 148      mov     edx, [ebp+obj24]
.text:004F34D9 148      mov     eax, [edx]
.text:004F34DB 148      mov     ecx, [ebp+obj24]
.text:004F34E1 148      mov     edx, [eax+4]
.text:004F34E4 148      call    edx ; recursive call
.text:004F34E6 140      test    eax, eax ; the function returns 0xffffffff if there
.text:004F34E6               ; is no more incoming message.
.text:004F34E6               ; This ret value passes the jz check and
.text:004F34E6               ; the code below it continues to execute,
.text:004F34E6               ; eventually resulting in an exception thrown
.text:004F34E6               ; and can cause lmadmin.exe to die.
.text:004F34E8 140      jz      short error

It appears that the function assumes a non-zero return value indicates success. If (msg.flags & 0x1) is set, but a subsequent message is not received, the function can return 0xffffffff which can lead to an exception being thrown. The end result can be process termination.

0:008> kb
ChildEBP RetAddr  Args to Child              
0a32fb88 05718a19 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
0a32fbc8 053e3a4f 0a32fbd8 054156f4 053d147c MSVCR120!_CxxThrowException+0x5b [f:\dd\vctools\crt\crtw32\eh\throw.cpp @ 152]
0a32fbe4 00501072 006a6e3c 0a32fdcc 0a32fc3c MSVCP120!std::_Xlength_error+0x2e [f:\dd\vctools\crt\crtw32\stdcpp\xthrow.cpp @ 19]
WARNING: Stack unwind information not available. Following frames may be wrong.
0a32fbf4 004f3ad7 24b9176e 00000000 08ca2fa0 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x54be2
0a32fc3c 004f4192 0d41cffb 00000014 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47647
0a32fc64 004f3551 0a32fca0 0d41cffb 00000014 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47d02
0a32fdb8 004f46cf 0a32fdcc 004c4b40 24b91532 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x470c1
0a32fe60 00535ef1 24b915de 09bdfc04 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x4823f
0a32fe8c 0049a795 00000003 08ca2fe8 0a32feb0 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x89a61
0a32fe9c 00535fed 09bdfbd4 00000003 08ca2fec lmadmin!xalanc_1_11::XalanMemoryManager::getExceptionMemoryManager+0x21965
0a32feb0 005366e0 00000000 08ca2fe8 0a32fecf lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x89b5d
0a32fed0 00536c75 08ca2fe8 0a32ff10 00427adb lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x8a250
0a32fedc 00427adb 08ca2fe8 24b91442 0a32ff68 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x8a7e5
0a32ff10 004f28a2 08ca2fa0 0a32ff44 0063059e lmadmin+0x27adb
0a32ff1c 0063059e 24b91416 00000000 0b924c40 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x46412
0a32ff44 0572c129 08ca2fa0 0af420b6 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x18410e
0a32ff7c 0572c10d 00000000 0a32ff94 7dd7343d MSVCR120!_callthreadstartex+0x1b [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 381]
0a32ff88 7dd7343d 09346c40 0a32ffd4 7dea9802 MSVCR120!_threadstartex+0x69 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 359]
0a32ff94 7dea9802 09346c40 59937487 00000000 kernel32!BaseThreadInitThunk+0xe
0a32ffd4 7dea97d5 0572c0cc 09346c40 ffffffff ntdll!__RtlUserThreadStart+0x70

CVE-2019-8961 - lmadmin.exe Unauthenticated Remote Stack Exhaustion

Because the message reading function calls itself recursively if (msg.flags & 0x1) is set in the received message, an unauthenticated remote attacker can repeatedly send messages with the flag set to cause a stack exhaustion condition:

0:038> g
(1604.f24): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000b4 ebx=00000000 ecx=028b3114 edx=00000013 esi=00000000 edi=03c8f9e0
eip=6c8816ce esp=028b2fec ebp=028b30b0 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
MSWSOCK!_SEH_prolog4_GS+0x1a:
6c8816ce 53              push    ebx
0:008> kb
ChildEBP RetAddr  Args to Child              
028b30b0 41ac673e 000004cd 028b3180 00000000 MSWSOCK!_SEH_prolog4_GS+0x1a
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Schneider Electric\Floating License Manager\FLEXnet Publisher License Server Manager\lmadmin.exe - 
028b3130 005379d8 000004cd 028b3180 00000000 WS2_32!select+0x494
WARNING: Stack unwind information not available. Following frames may be wrong.
028b4194 004f329e 028b4248 00000002 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x8b548
028b42ec 004f34e6 028b4354 004c4b40 e52adb7e lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x46e0e
028b4438 004f34e6 028b44a0 004c4b40 e52adac2 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b4584 004f34e6 028b45ec 004c4b40 e52ad996 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b46d0 004f34e6 028b4738 004c4b40 e52ad75a lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b481c 004f34e6 028b4884 004c4b40 e52ad62e lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b4968 004f34e6 028b49d0 004c4b40 e52ad5f2 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b4ab4 004f34e6 028b4b1c 004c4b40 e52ad346 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
028b4c00 004f34e6 028b4c68 004c4b40 e52ad20a lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056
...
InVision