ZDI-15-412

(0Day) Borland AccuRev Reprise License Server activate_doit Command akey Parameter Stack Buffer Overflow Vulnerability

ZDI-15-412
ZDI-CAN-3032

CVE ID

CVE-2015-6946

CVSS SCORE

9.3, AV:N/AC:M/Au:N/C:C/I:C/A:C

AFFECTED VENDORS

Borland

AFFECTED PRODUCTS

AccuRev

TREND MICRO CUSTOMER PROTECTION

Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['20180']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com

VULNERABILITY DETAILS

This vulnerability allows remote attackers to cause a stack buffer overflow in the Reprise License Management service on installations of Borland AccuRev. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the activate_doit function of the service. The issue lies in the handling of the akey parameter which can result in overflowing a stack-based buffer. An attacker could leverage this vulnerability to execute code under the context of SYSTEM.

ADDITIONAL DETAILS

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

07/09/2015 - ZDI emailed vendor and requested contact
07/28/2015 - ZDI emailed vendor and requested contact
08/13/2015 - ZDI emailed vendor and requested contact
08/21/2015 - ZDI emailed vendor and requested contact
08/24/2015 - A vendor representative replied and attempted to direct ZDI to a sales rep
08/24/2015 - ZDI replied again that we needed to report a security bug
08/24/2015 - The vendor asked for a serial number or account code to open a support case
08/24/2015 - ZDI replied that we "don't have that, no. But if you have a contact (and he or she should have a PGP key for encryption), then I am very happy to provide the report."
08/24/2015 - The vendor replied that they could not find a license to open a support case
08/24/2015 - ZDI replied that "We are a software security research organization... Our concern is not for ourselves - we want to report a flaw in your software that is leaving potentially all of the customers of this product vulnerable to exploitation."
08/25/2015 - The vendor replied, "Thank you, I appreciate the clarification. I'm sorry but this is something that would be worked on internally. "
08/31/2015 - ZDI notified the vendor of intent to publish as 0-day

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.

DISCLOSURE TIMELINE

2015-05-05 - Vulnerability reported to vendor
2015-09-02 - Coordinated public release of advisory

CREDIT

rgod

BACK TO ADVISORIES

General Inquiries

zdi@trendmicro.com

Find us on X

@thezdi

Find us on Mastodon

Mastodon

Media Inquiries

media_relations@trendmicro.com

Sensitive Email Communications

PGP Key

Advisory Details