Synopsis
The flaw exists in lmadmin due to improper validation of user-supplied data when processing a FLEX_MSG_QUORUM message. An unauthenticated, remote attacker can specify a large, signed 32-bit integer (i.e., 0x7fffffff) in the message to cause the C++ new operator to throw an unhandled exception, resulting in process termination:
.text:005012B3 lea eax, [ebp+int32] ; attacker-controlled; ie: 0x7fffffff .text:005012B6 push eax .text:005012B7 mov ecx, [ebp+pos] .text:005012BA push ecx .text:005012BB mov edx, [ebp+arg_sebuf] .text:005012BE push edx .text:005012BF mov ecx, [ebp+var_28] .text:005012C2 call obj14_sebufGetBe32 ; return true/false .text:005012C7 movzx eax, al .text:005012CA test eax, eax .text:005012CC jnz short loc_5012D5 .text:005012CE xor al, al .text:005012D0 jmp loc_50139A .text:005012D5 ; --------------------------------------------------------------------------- .text:005012D5 .text:005012D5 loc_5012D5: ; CODE XREF: obj14_Parse_FLEX_MSG_QUORUM+5C↑j .text:005012D5 mov ecx, [ebp+pos] .text:005012D8 add ecx, 4 .text:005012DB mov [ebp+pos], ecx .text:005012DE mov [ebp+var_18], 0 .text:005012E5 cmp [ebp+int32], 0 .text:005012E9 jle short negative_size .text:005012EB mov edx, [ebp+int32] ; attacker-controlled .text:005012EB ; 0x7fffffff -> unhandled exception .text:005012EE push edx .text:005012EF call ??_U@YAPAXI@Z ; operator new[](uint)
Unhandled exception in 32-bit lmadmin.exe (v11.16.5.1):
(1284.1488): C++ EH exception - code e06d7363 (first chance) (1284.1488): C++ EH exception - code e06d7363 (!!! second chance !!!) eax=09cffae0 ebx=08c70c40 ecx=00000003 edx=00000000 esi=03fecba8 edi=09cffb80 eip=7d85c5af esp=09cffae0 ebp=09cffb30 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x58: 7d85c5af c9 leave 0:008> kb ChildEBP RetAddr Args to Child 09cffb30 03fd8a19 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58 09cffb70 0401dea6 09cffb80 03fecba8 03fed3e4 MSVCR120!_CxxThrowException+0x5b [f:\dd\vctools\crt\crtw32\eh\throw.cpp @ 152] 09cffb90 005012f4 7fffffff 1e9495d9 0000000f MSVCR120!operator new+0x50 [f:\dd\vctools\crt\crtw32\heap\new.cpp @ 62] WARNING: Stack unwind information not available. Following frames may be wrong. 09cffbd4 004f58a8 09cffdcc 09cffe48 1e9493b5 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x5adf4 09cffdb8 004f46c6 09cffdcc 09cffe48 1e94906d lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x4f3a8 09cffe60 00536521 1e949081 0954fc04 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x4e1c6 09cffe8c 00536de5 00000003 08c6cfe8 09cffeb0 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x90021 09cffe9c 005365fd 0954fbd4 00000003 08c6cfec lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x908e5 09cffeb0 00536dc0 00000000 08c6cfe8 09cffecf lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x900fd 09cffed0 00537395 08c6cfe8 09cfff10 0042829b lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x908c0 09cffedc 0042829b 08c6cfe8 1e94911d 09cfff68 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x90e95 09cfff10 004f28e2 08c6cfa0 09cfff44 00630cee lmadmin+0x2829b 09cfff1c 00630cee 1e949149 00000000 0b040c40 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x4c3e2 09cfff44 03fec129 08c6cfa0 2e566c36 00000000 lmadmin!xalanc_1_11::XalanMemoryManager::operator=+0x18a7ee 09cfff7c 03fec10d 00000000 09cfff94 7dd7343d MSVCR120!_callthreadstartex+0x1b [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 381] 09cfff88 7dd7343d 08c70c40 09cfffd4 7dea9812 MSVCR120!_threadstartex+0x69 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 359] 09cfff94 7dea9812 08c70c40 44e2d13e 00000000 kernel32!BaseThreadInitThunk+0xe 09cfffd4 7dea97e5 03fec0cc 08c70c40 ffffffff ntdll!__RtlUserThreadStart+0x70 09cfffec 00000000 03fec0cc 08c70c40 00000000 ntdll!_RtlUserThreadStart+0x1b
Proof of Concept
flexera_fnp_lmadmin_msg_282_dos_cve-2020-12080.py
Attached is a PoC to terminate lmadmin.exe. The PoC can be used as follows:
python flexera_fnp_lmadmin_msg_282_dos_cve-2020-12080.py -t-p 27000
Solution
Upgrade to 11.17.0Additional References
https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2020-12080-Remediated-in-FlexNet-Publisher/ta-p/143873/jump-to/first-unread-messagehttps://community.flexera.com/t5/FlexNet-Publisher-News/FlexNet-Publisher-2020-R2-11-17-0-is-here/ba-p/144017/jump-to/first-unread-message
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team