Vulnerability Development mailing list archives
Re: spoofing the ethernet address (license managers)
From: sherrill () TI COM (Eric Sherrill)
Date: Fri, 24 Mar 2000 10:29:54 -0600
Many UNIX license managers (e.g. FlexLM, the most common) use a license file with an encrypted string, hostname and Ethernet MAC address or "hostid" (Sun's compact representation of a MAC address, it uses the first two hex digits as mfg. ID, and the last six are the same as the last six hex digits in the MAC address). When licensed software is launched, it checks with a daemon running in the background (lmgrd) to see if it is being run on a properly licensed machine (which uses a 'sysinfo' system call on Solaris to check the hostid, and compares that against the license file). Of course, that can be annoying, since whenever you switch out hardware (whole machine upgrade, motherboard replacement, etc.) you must either update the NVRAM on the machine to override the MAC address, or else get a new license. Suns get their hostid & MAC address from the NVRAM chip on the mobo (which is transferable if it's a straight same-model mobo swap), not the Ethernet card(s), but you can set the MAC in software through the 'ifconfig' command; e.g if you have two or more cards on the same subnet, you will want different MAC addresses for them, or your collision domain will be shot. Look for Infodoc ID 12306 ("Sun Ethernet Interface Support Document/FAQ"), Infodoc ID 14294 ("FlexLM PSD/FAQ",) and Infodoc ID 15572 ("Can I configure two Ethernet interfaces on the subnet?") on http://sunsolve.sun.com for a more thorough explanation of all this as it pertains to Suns. If I remember correctly AIX and HP/UX are similar (although they may be more tied to the ethernet card's MAC), and I have no idea about Linux and Wintel boxes since I've not run any networked license managers on them (I'd guess they also default to the hardware MAC but are easily changeable/spoofable). IMHO the Ethernet MAC is not a reliable security or identity provider, and the license managers are stupid to rely on them (although I can't think of a better replacement off the top of my head, maybe X.509 certificates or something). Plus one of these days distributed.net might start cracking away at license strings.... ;^) Example from one of our apps (data munged to protect the guilty):
cat /etc/license.dat
# hostname hostid license string # tester13s 80b8f4e0 2D3736C1522B53E385 -- Eric R. Sherrill, WF Software Systems Engineer Texas Instruments HFAB1 Automation Systems Stafford, TX 77477-3006 281-274-4133 -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Ex Machina Sent: Thursday, March 23, 2000 12:06 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: spoofing the ethernet address How exactly does this scheme work? Ex Machina (xm () geekmafia dynip com) http://geekmafia.dynip.com/~xm/ phone: 1-877-LPT-WHIP icq: 3387005 aim: ExMachina GnuPG Keyprint: 0627 C3A8 DE25 F7FB 46BD 4870 2006 CF7F EBDA 949D On Tue, 21 Mar 2000, Pierre Landau wrote:
Date: Tue, 21 Mar 2000 12:55:36 -0700 From: Pierre Landau <pierre () POLYMAPSYSTEMS COM> To: VULN-DEV () SECURITYFOCUS COM Subject: Re: spoofing the ethernet address Another possible vulnerability with spoofing MAC addresses is the number
of
software license managers that rely on this number as a unique hardware signature.
Current thread:
- Re: spoofing the ethernet address, (continued)
- Re: spoofing the ethernet address John Flux (Mar 14)
- Re: spoofing the ethernet address Juan M. Courcoul (Mar 15)
- Linux Mandrake 6.1 PAM/userhelper exploit Paulo Ribeiro (Mar 16)
- AIM 3.0 Buffer Overflow exploit lewkir () YAHOO COM (Mar 17)
- Re: AIM 3.0 Buffer Overflow exploit Jamal Hendershot (Mar 19)
- Re: AIM 3.0 Buffer Overflow exploit - - (Mar 21)
- Re: spoofing the ethernet address Arnold, Jamie (Mar 15)
- Re: spoofing the ethernet address James A. Robbins (Mar 15)
- Re: spoofing the ethernet address Pierre Landau (Mar 21)
- Re: spoofing the ethernet address Ex Machina (Mar 22)
- Re: spoofing the ethernet address (license managers) Eric Sherrill (Mar 24)
- IPSec research Bep Verberk (Mar 24)
- Re: IPSec research Dug Song (Mar 24)
- Re: IPSec research Mike Hudack (Mar 25)
- Re: IPSec research potential problem areas. Patrick Denton (Mar 25)
- Re: spoofing the ethernet address Ex Machina (Mar 22)