(0Day) Borland AccuRev Reprise License Server activate_doit Command actserver Parameter Stack Buffer Overflow VulnerabilityZDI-15-414: September 2nd, 2015
TippingPoint™ IPS Customer ProtectionTippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 20294. For further product information on the TippingPoint IPS:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Borland AccuRev. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the activate_doit function of the service. The issue lies in the handling of the actserver parameter which can result in overflowing a stack-based buffer. An attacker could leverage this vulnerability to execute code under the context of SYSTEM.
Vendor ResponseBorland states:
This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.
07/09/2015 - ZDI emailed vendor and requested contact
07/28/2015 - ZDI emailed vendor and requested contact
08/13/2015 - ZDI emailed vendor and requested contact
08/21/2015 - ZDI emailed vendor and requested contact
08/24/2015 - A vendor representative replied and attempted to direct ZDI to a sales rep
08/24/2015 - ZDI replied again that we needed to report a security bug
08/24/2015 - The vendor asked for a serial number or account code to open a support case
08/24/2015 - ZDI replied that we "don't have that, no. But if you have a contact (and he or she should have a PGP key for encryption), then I am very happy to provide the report."
08/24/2015 - The vendor replied that they could not find a license to open a support case
08/24/2015 - ZDI replied that "We are a software security research organization... Our concern is not for ourselves - we want to report a flaw in your software that is leaving potentially all of the customers of this product vulnerable to exploitation."
08/25/2015 - The vendor replied, "Thank you, I appreciate the clarification. I'm sorry but this is something that would be worked on internally. "
08/31/2015 - ZDI notified the vendor of intent to publish as 0-day
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.
2015-05-05 - Vulnerability reported to vendor
2015-09-02 - Coordinated public release of advisory
CreditThis vulnerability was discovered by: