J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Computer Associates License Application Multiple Vulnerabilities

Severity: CRITICAL

Description:

Computer Associates License application provides remote license registration functionality for Computer Associates products. The License application is included with most of the products offered by Computer Associates. It should be noted that reportedly the server does not run by default, however, the client runs on affected platforms by default.

Computer Associates License client and server applications are reported prone to multiple vulnerabilities. These issues include various buffer overflow vulnerabilities in the client and server and a directory traversal vulnerability in the client. A remote attacker may execute arbitrary code and place files in arbitrary locations on a vulnerable computer.

The following specific issues were identified:

It is reported that the License client and server are affected by a remote buffer overflow vulnerability. This issue arises when the applications process a packet containing excessive string data. Specifically, if the malicious packet does not contain a valid command, the applications generate a log message containing the attacker-supplied values. The message is copied to a finite sized buffer without performing boundary checks, which can ultimately lead to an overflow condition.

The License client is affected by a buffer overflow vulnerability when handling a malformed 'PUTOLF' request. This issue arises when a remote attacker issues a malformed request containing a 'name' attribute that is larger than 252 bytes. The attacker-supplied data is copied to a finite sized buffer leading to an overflow condition.

The License client is also affected by a directory traversal vulnerability when handling a malformed 'PUTOLF' request. This issue can allow an attacker to specify a file name in a request while using '../' directory traversal sequences to place potentially malicious files in an arbitrary location. This issue can ultimately lead to arbitrary code execution as well.

The License client and server applications are affected by a remote buffer overflow vulnerability when handling malformed 'GETCONFIG' requests. The application fails to perform boundary checks when copying the last parameter of a 'GETCONFIG' packet. An attacker can supply an excessive string value through the last parameter of the request to trigger an overflow condition.

The License client and server applications are affected by a remote buffer overflow vulnerability when handling malformed 'GCR' requests. Reportedly, multiple parameters of the request including IP address, hostname, netmask, and checksum can be used to supply excessive data to trigger this condition. Arbitrary code execution due to memory corruption is possible.

Successful exploitation of these issues can allow an attacker to corrupt sensitive process memory and execute arbitrary code on a vulnerable computer. An attacker may also place malicious files in arbitrary locations on a computer. It should be noted that the affected application runs with SYSTEM privileges on Microsoft Windows Platforms and superuser privileges on UNIX platforms; therefore allowing for a complete compromise.

**Update: Additional vulnerabilities are reported to affect the 'LIC98RMT.EXE' component of the Computer Associates License application. It is reported that this component listens on TCP ports 10203 and 10204. The report indicates that the following commands:
'LOG1', 'GBR', 'OLFCONFIRM', 'GETBACKUP', 'GETLOG', 'NEWOLF', and 'GETSERVER' are also prone to memory corruption vulnerabilities. These issues may be exploited remotely to execute arbitrary code with SYSTEM privileges on Microsoft Windows Platforms and superuser privileges on UNIX platforms.

This BID will be split into individual BIDs as soon as further research into these issues is complete.

Computer Associates License application versions 1.53 to 1.61.8 on all supported platforms are affected by these vulnerabilities.

*UPDATE: It has been reported that this issue may affect all previous users of Computer Associates products as well; uninstalling the affected applications, including evaluations version, does not necessarily uninstall the vulnerable licensing software.

Affected Products:

  • Computer Associates License 1.0.15
  • Computer Associates License 1.53.0
  • Computer Associates License 1.54.0
  • Computer Associates License 1.55.0
  • Computer Associates License 1.56.0
  • Computer Associates License 1.57.0
  • Computer Associates License 1.60.0
  • Computer Associates License 1.60.2
  • Computer Associates License 1.60.3
  • Computer Associates License 1.61.0
  • Computer Associates License 1.61.1
  • Computer Associates License 1.61.2
  • Computer Associates License 1.61.8

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.