[VulnWatch] [HAT-SQUAD] SafeNet Sentinel LM, UDP License Manager Exploit

From: class 101 (class101@hat-squad.com)
Date: Mon Mar 14 2005 - 05:36:32 PST

Application overview:

            Sentinel LM is a software-based license management application
allowing application developers to implement multiple pre-built license
models with a single software development integration effort. Developers can
sell or deliver multiple license types simply by changing the license file
associated with the application sold, reducing development time and
facilitating software management of a single code base per release.

Advisory overview:

            Dennis Rand of www.cirt.dk is to credit of the vulnerability

Exploit overview:

            class101 of www.hat-squad.com is to credit of the poc exploit.

Poc overview:

           the full poc can be downloaded at www.class101.org or
www.hat-squad.com or attached to this mail
for the security websites.

SentinelLM, UDP License Service Stack Overflow

Homepage:           safenet-inc.com
Affected version:    7.*
Patched  version:   8.0
Link:                     safenet-inc.com/products/sentinel/lm.asp
Date:                    09 March 2005
Advisory:              securitytracker.com/alerts/2005/Mar/1013385.html

Application Risk:   High
Internet Risk:        Medium (UDP)

Dicovery Credits:   Dennis Rand (CIRT.DK)
Exploit Credits :    class101

Hole History:

                07-3-2005: BOF flaw published by Dennis Rand of CIRT.DK
                09-3-2005: hat-squad's exploit done
                13-3-2005: hat-squad's exploit released


      -the exploit targets 5093/UDP
      -no bad chars detected
      -Unlike it is said in the CIRT.DK advisory, you shouldn't submit
3000bytes of data, but indeed, the overflow is occuring at around 3900
bytes. SentinelLM will proceed the first 1035bytes of your buffer and will
repeat those until the override of the stack.
Conclusion , you have to be good with maths (nor to control our friend olly
& calc :>) to overwrite the right place in your buffer[1035] to finally
reach eip when your buffer "autogrows" at around buffer[3940].
      -sending the buffer twice because the 1st attempt can fail sometimes.
      -using a nice popopret outside of a loaded module for SP2and2k3
this offset has been tested on SP2 and 2003 ENGLISH (maybe langage-dependent
      -to note so that target3 (SP2/2k3) can work sometimes as target2
(SP1a/1/0) but it is not stable this is why I use one of the two I have
posted at fulldisclosure (0x71ABE325/SP1a/1/0). This last is stable for the
3 sp (ENGLISH!).


                  101_SentLM.cpp ......... Win32 (MSVC,cygwin)
                  101_SentLM.c ........... Linux (FreeBSD,etc..)

 *Another fine working code, published as a patch warning or for an


          *GUILLERMITO* "the terrorist...sigh..:("

                NIMA MAJIDI
                BEHRANG FOULADI
                A^C^E of addict3d.org
                str0ke of milw0rm.com
                and my homy CLASS101.ORG :>


Jr. Researcher

This archive was generated by hypermail 2.1.3 : Mon Mar 14 2005 - 07:58:13 PST