Bugtraq mailing list archives
SO (ECL) 355428 flexlm
From: XX.XX () sun co uk (XX XX - Sun UK - Answer Centre)
Date: Fri, 17 Dec 93 12:47:27 GMT
Bob, You are right, and this is a known bug (id 1101580) The problem is that Flexlm is not a Sun controlled product and Highland claim it does what customers want .. In fact I have very quickly worked out that what lmdown does is check your uid is zero in the /etc/passwd file. So if some clever person either a) knew where to patch the binary, or b) knew what the flex protocol was and how to spoof it.. they probably don't even need to be root. I simply added an entry for my username in the passwd file as uid=0 but did not su and was able to lmdown. Not good but I'm not sure that the knowledge for either of these is publically available. Anyway the sad story is that Highland seem to have said no to a fix! I suspect that 'cos of multiple license servers that it has to be a networked solution and they want it to work on a lot of platforms without much change. Also although its malicious its probably not harmful - at least for compilers, and anyone can restart the lmgrd if its not running. I would suggest using a non-standard port (not 1700) as a partial measure so that someone would have to work that out too and they'd have to be able to see your license file to do that. So restrict your NFS exports to an authorised group and other such prudent measures. ----- End of included message. ----- I would be interested in what people do to protect themselves from this attack if it is a well-known problem. I mailed Highland via the only e-mail address I could find for them (flexlm () hisoft infocomm com) but haven't had a reply. -------- Bob Dowling: UNIX Support, University of Cambridge Computing Service, rjd4 () ucs cam ac uk New Museums Site, Pembroke Street, +44 223 334728 Cambridge, UK. CB2 3QG.
Current thread:
- SO (ECL) 355428 flexlm XX XX - Sun UK - Answer Centre (Dec 17)