(0Day) Wavelink Emulation License Server LicenseServer.exe HTTP Request Headers Remote Code Execution VulnerabilityZDI-15-245: May 27th, 2015
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Wavelink Emulation License Server. User interaction is not required to exploit this vulnerability.
The specific flaw exists in the parsing of HTTP requests in LicenseServer.exe listening by default on port 4420. When parsing large HTTP headers, the application will overflow a heap buffer due to an unsafe memory block copy operation. An attacker could leverage this to execute arbitrary code in the context of SYSTEM.
Vendor ResponseWavelink states:
This vulnerability is being disclosed publicly without a patch in accordance with the ZDI vulnerability disclosure policy on lack of vendor response.
~2/20/2015 - ZDI called Wavelink customer service and a recorded message indicated these products are supported by another entity
02/20/2015 - ZDI reached out to multiple security contacts at that entity looking for a contact and familiarity with the product but received a negative reply
The finder reached out to ZDI to say that there was some indication another entity was supporting these products.
04/09/2015 - ZDI reached out to security contacts at the 3rd party looking for a contact and familiarity with the product but received no reply
04/15/2015 - ZDI reached out to security contacts at the 3rd party looking for a contact and familiarity with the product but received no reply
05/20/2015 - ZDI reached out to firstname.lastname@example.org, email@example.com and firstname.lastname@example.org but received only an automated reply
05/20/2015 - ZDI again reached out to security contacts at the 3rd party looking for a contact and familiarity with the product but received a no reply
The finder has also made attempts at contact with the vendor/owner regarding these vulnerability reports, but has made no meaningful contact.
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.
-- Vendor Patch:
The vulnerability ZDI-15-245 has been patched and released to our web site as Emulation License Server version 4.3.006.
Here is a link: http://www.wavelink.com/Download-Emulation-License-Server-Software/
2015-02-20 - Case submitted to the ZDI
2015-05-27 - Public release of advisory
CreditThis vulnerability was discovered by:
Andrea Micalizzi (rgod)