Synopsis
lmadmin.exe Unauthenticated Remote DoS
The communication protocol used in lmadmin.exe for command 0x2f has the following format:
struct msg
{
int8 type; // command 0x2f
int8 hdr_chksum; // over the 0x14-byte header;
// this field is set to 0 for chksum calculation
be16 data_chksum; // start @ msg_len to the msg end
be16 msg_len; // entire msg; including msg hdr
be16 cmd; // extended command
be32 id;
be32 unk;
ube16 unk;
ube16 flags?; // 0x1 - more_fragments?
//end of msg hdr; start of msg data
byte data[msg_len-0x14];
};
After reading a message, if (msg.flags & 0x1) is set the message reading function calls itself again, presumably expecting more message (fragments?) to follow:
.text:004F34B9 140 mov edx, [ebp+flags] .text:004F34BF 140 and edx, 1 .text:004F34C2 140 jz no_more_fragments .text:004F34C8 140 mov eax, [ebp+arg_timeout?] .text:004F34CB 140 push eax .text:004F34CC 144 lea ecx, [ebp+sebuf] .text:004F34D2 144 push ecx .text:004F34D3 148 mov edx, [ebp+obj24] .text:004F34D9 148 mov eax, [edx] .text:004F34DB 148 mov ecx, [ebp+obj24] .text:004F34E1 148 mov edx, [eax+4] .text:004F34E4 148 call edx ; recursive call .text:004F34E6 140 test eax, eax ; the function returns 0xffffffff if there .text:004F34E6 ; is no more incoming message. .text:004F34E6 ; This ret value passes the jz check and .text:004F34E6 ; the code below it continues to execute, .text:004F34E6 ; eventually resulting in an exception thrown .text:004F34E6 ; and can cause lmadmin.exe to die. .text:004F34E8 140 jz short error
It appears that the function assumes a non-zero return value indicates success. If (msg.flags & 0x1) is set, but a subsequent message is not received, the function can return 0xffffffff which can lead to an exception being thrown. The end result can be process termination.
0:008> kb ChildEBP RetAddr Args to Child 0a32fb88 05718a19 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58 0a32fbc8 053e3a4f 0a32fbd8 054156f4 053d147c MSVCR120!_CxxThrowException+0x5b [f:\dd\vctools\crt\crtw32\eh\throw.cpp @ 152] 0a32fbe4 00501072 006a6e3c 0a32fdcc 0a32fc3c MSVCP120!std::_Xlength_error+0x2e [f:\dd\vctools\crt\crtw32\stdcpp\xthrow.cpp @ 19] WARNING: Stack unwind information not available. Following frames may be wrong. 0a32fbf4 004f3ad7 24b9176e 00000000 08ca2fa0 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x54be2 0a32fc3c 004f4192 0d41cffb 00000014 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47647 0a32fc64 004f3551 0a32fca0 0d41cffb 00000014 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47d02 0a32fdb8 004f46cf 0a32fdcc 004c4b40 24b91532 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x470c1 0a32fe60 00535ef1 24b915de 09bdfc04 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x4823f 0a32fe8c 0049a795 00000003 08ca2fe8 0a32feb0 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x89a61 0a32fe9c 00535fed 09bdfbd4 00000003 08ca2fec lmadmin!xalanc_1_11::XalanMemoryManager::getExceptionMemoryManager+0x21965 0a32feb0 005366e0 00000000 08ca2fe8 0a32fecf lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x89b5d 0a32fed0 00536c75 08ca2fe8 0a32ff10 00427adb lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x8a250 0a32fedc 00427adb 08ca2fe8 24b91442 0a32ff68 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x8a7e5 0a32ff10 004f28a2 08ca2fa0 0a32ff44 0063059e lmadmin+0x27adb 0a32ff1c 0063059e 24b91416 00000000 0b924c40 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x46412 0a32ff44 0572c129 08ca2fa0 0af420b6 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x18410e 0a32ff7c 0572c10d 00000000 0a32ff94 7dd7343d MSVCR120!_callthreadstartex+0x1b [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 381] 0a32ff88 7dd7343d 09346c40 0a32ffd4 7dea9802 MSVCR120!_threadstartex+0x69 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 359] 0a32ff94 7dea9802 09346c40 59937487 00000000 kernel32!BaseThreadInitThunk+0xe 0a32ffd4 7dea97d5 0572c0cc 09346c40 ffffffff ntdll!__RtlUserThreadStart+0x70
lmadmin.exe Unauthenticated Remote Stack Exhaustion
Because the message reading function calls itself recursively if (msg.flags & 0x1) is set in the received message, an unauthenticated remote attacker can repeatedly send messages with the flag set to cause a stack exhaustion condition:
0:038> g (1604.f24): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=000000b4 ebx=00000000 ecx=028b3114 edx=00000013 esi=00000000 edi=03c8f9e0 eip=6c8816ce esp=028b2fec ebp=028b30b0 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212 MSWSOCK!_SEH_prolog4_GS+0x1a: 6c8816ce 53 push ebx 0:008> kb ChildEBP RetAddr Args to Child 028b30b0 41ac673e 000004cd 028b3180 00000000 MSWSOCK!_SEH_prolog4_GS+0x1a *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Schneider Electric\Floating License Manager\FLEXnet Publisher License Server Manager\lmadmin.exe - 028b3130 005379d8 000004cd 028b3180 00000000 WS2_32!select+0x494 WARNING: Stack unwind information not available. Following frames may be wrong. 028b4194 004f329e 028b4248 00000002 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x8b548 028b42ec 004f34e6 028b4354 004c4b40 e52adb7e lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x46e0e 028b4438 004f34e6 028b44a0 004c4b40 e52adac2 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056 028b4584 004f34e6 028b45ec 004c4b40 e52ad996 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056 028b46d0 004f34e6 028b4738 004c4b40 e52ad75a lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056 028b481c 004f34e6 028b4884 004c4b40 e52ad62e lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056 028b4968 004f34e6 028b49d0 004c4b40 e52ad5f2 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056 028b4ab4 004f34e6 028b4b1c 004c4b40 e52ad346 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056 028b4c00 004f34e6 028b4c68 004c4b40 e52ad20a lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x47056 ... InVision
Solution
Upgrade to FlexNet Publisher 2019 R3 SP1. https://community.flexera.com/t5/FlexNet-Publisher-News/FlexNet-Publishe...
Disclosure Timeline
07/29/2019 - Vulnerabilities discovered.
08/15/2019 - Tenable reports the vulnerability to [email protected] 90 days set to November 14, 2019.
08/15/2019 - Tenable receives an automated reply acknowledging receipt and a promised response in "two business days."
08/15/2019 - Schneider assigns SE-1414 and SE-1415.
08/26/2019 - Schneider tells Tenable they are working on it.
08/26/2019 - Tenable thanks Schneider for the update.
08/28/2019 - Schneider indicates Flexera may have a fix. Asks if Tenable is willing to test.
08/28/2019 - Tenable agrees to test.
08/28/2019 - Schneider provides a download link.
08/28/2019 - Tenable tells Schneider that they've successfully downloaded the files.
08/28/2019 - Tenable finds that the software is still vulnerable.
08/29/2019 - Tenable informs Schneider the test version doesn't fix the issues.
09/06/2019 - Schneider targets a Q4 fix and asks about Tenable's disclosure policy.
09/06/2019 - Tenable clarifies the rules around disclosure deadline.
09/20/2019 - Schneider explains the vulnerabilities is in Flexera software and not Schneider software and therefore believe they should be excused from the 90 day disclosure.
09/20/2019 - Tenable agrees.
10/16/2019 - Tenable discloses to [email protected] 90 day is Jan. 14, 2020
11/20/2019 - Flexera notifies Tenable that a patch has been released.
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]