Advisory Details

September 2nd, 2015

(0Day) Borland AccuRev Reprise License Server service_setup_doit Command Stack Buffer Overflow Vulnerability


CVE ID CVE-2015-6946
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 20177. For further product information on the TippingPoint IPS:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Borland AccuRev. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the service_startup_doit functionality of the Reprise License Manager service. The issue lies in the handling of the licfile parameter which can result in overflowing a stack-based buffer. An attacker could leverage this vulnerability to execute code under the context of SYSTEM.

VENDOR RESPONSE Borland states:

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

07/09/2015 - ZDI emailed vendor and requested contact
07/28/2015 - ZDI emailed vendor and requested contact
08/13/2015 - ZDI emailed vendor and requested contact
08/21/2015 - ZDI emailed vendor and requested contact
08/24/2015 - A vendor representative replied and attempted to direct ZDI to a sales rep
08/24/2015 - ZDI replied again that we needed to report a security bug
08/24/2015 - The vendor asked for a serial number or account code to open a support case
08/24/2015 - ZDI replied that we "don't have that, no. But if you have a contact (and he or she should have a PGP key for encryption), then I am very happy to provide the report."
08/24/2015 - The vendor replied that they could not find a license to open a support case
08/24/2015 - ZDI replied that "We are a software security research organization... Our concern is not for ourselves - we want to report a flaw in your software that is leaving potentially all of the customers of this product vulnerable to exploitation."
08/25/2015 - The vendor replied, "Thank you, I appreciate the clarification. I'm sorry but this is something that would be worked on internally. "
08/31/2015 - ZDI notified the vendor of intent to publish as 0-day

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in and numerous other Microsoft Knowledge Base articles.

  • 2015-05-05 - Vulnerability reported to vendor
  • 2015-09-02 - Coordinated public release of advisory