Re: spoofing the ethernet address (license managers)

[sherrill () TI COM (Eric Sherrill)]

Many UNIX license managers (e.g. FlexLM, the most common) use a license file
with an encrypted string, hostname and Ethernet MAC address or "hostid"
(Sun's compact representation of a MAC address, it uses the first two hex
digits as mfg. ID, and the last six are the same as the last six hex digits
in the MAC address).  When licensed software is launched, it checks with a
daemon running in the background (lmgrd) to see if it is being run on a
properly licensed machine (which uses a 'sysinfo' system call on Solaris to
check the hostid, and compares that against the license file).  Of course,
that can be annoying, since whenever you switch out hardware (whole machine
upgrade, motherboard replacement, etc.) you must either update the NVRAM on
the machine to override the MAC address, or else get a new license.  Suns
get their hostid & MAC address from the NVRAM chip on the mobo (which is
transferable if it's a straight same-model mobo swap), not the Ethernet
card(s), but you can set the MAC in software through the 'ifconfig' command;
e.g if you have two or more cards on the same subnet, you will want
different MAC addresses for them, or your collision domain will be shot.
Look for Infodoc ID 12306 ("Sun Ethernet Interface Support Document/FAQ"),
Infodoc ID 14294 ("FlexLM PSD/FAQ",) and Infodoc ID 15572 ("Can I configure
two Ethernet interfaces on the subnet?") on http://sunsolve.sun.com for a
more thorough explanation of all this as it pertains to Suns.  If I remember
correctly AIX and HP/UX are similar (although they may be more tied to the
ethernet card's MAC), and I have no idea about Linux and Wintel boxes since
I've not run any networked license managers on them (I'd guess they also
default to the hardware MAC but are easily changeable/spoofable).

IMHO the Ethernet MAC is not a reliable security or identity provider, and
the license managers are stupid to rely on them (although I can't think of a
better replacement off the top of my head, maybe X.509 certificates or
something).  Plus one of these days distributed.net might start cracking
away at license strings.... ;^)

Example from one of our apps (data munged to protect the guilty):

> cat /etc/license.dat

# hostname      hostid  license string
#
tester13s       80b8f4e0        2D3736C1522B53E385

--
Eric R. Sherrill, WF Software Systems Engineer
Texas Instruments HFAB1 Automation Systems
Stafford, TX 77477-3006
281-274-4133

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Ex
Machina
Sent: Thursday, March 23, 2000 12:06 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: spoofing the ethernet address

How exactly does this scheme work?

Ex Machina (xm () geekmafia dynip com)    http://geekmafia.dynip.com/~xm/
phone:  1-877-LPT-WHIP         icq:  3387005           aim:  ExMachina
GnuPG Keyprint:     0627 C3A8 DE25 F7FB 46BD  4870 2006 CF7F EBDA 949D

On Tue, 21 Mar 2000, Pierre Landau wrote:

> Date: Tue, 21 Mar 2000 12:55:36 -0700
> From: Pierre Landau <pierre () POLYMAPSYSTEMS COM>
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: spoofing the ethernet address
>
> Another possible vulnerability with spoofing MAC addresses is the number
of
> software license managers that rely on this number as a unique hardware
> signature.