Advisory Details

September 2nd, 2015

(0Day) Borland AccuRev Reprise License Server activate_doit Command akey Parameter Stack Buffer Overflow Vulnerability

ZDI-15-412
ZDI-CAN-3032

CVE ID CVE-2015-6946
CVSS SCORE 9.3, AV:N/AC:M/Au:N/C:C/I:C/A:C
AFFECTED VENDORS Borland
AFFECTED PRODUCTS AccuRev
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['20180']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to cause a stack buffer overflow in the Reprise License Management service on installations of Borland AccuRev. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the activate_doit function of the service. The issue lies in the handling of the akey parameter which can result in overflowing a stack-based buffer. An attacker could leverage this vulnerability to execute code under the context of SYSTEM.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

07/09/2015 - ZDI emailed vendor and requested contact
07/28/2015 - ZDI emailed vendor and requested contact
08/13/2015 - ZDI emailed vendor and requested contact
08/21/2015 - ZDI emailed vendor and requested contact
08/24/2015 - A vendor representative replied and attempted to direct ZDI to a sales rep
08/24/2015 - ZDI replied again that we needed to report a security bug
08/24/2015 - The vendor asked for a serial number or account code to open a support case
08/24/2015 - ZDI replied that we "don't have that, no. But if you have a contact (and he or she should have a PGP key for encryption), then I am very happy to provide the report."
08/24/2015 - The vendor replied that they could not find a license to open a support case
08/24/2015 - ZDI replied that "We are a software security research organization... Our concern is not for ourselves - we want to report a flaw in your software that is leaving potentially all of the customers of this product vulnerable to exploitation."
08/25/2015 - The vendor replied, "Thank you, I appreciate the clarification. I'm sorry but this is something that would be worked on internally. "
08/31/2015 - ZDI notified the vendor of intent to publish as 0-day

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.


DISCLOSURE TIMELINE
  • 2015-05-05 - Vulnerability reported to vendor
  • 2015-09-02 - Coordinated public release of advisory
CREDIT rgod
BACK TO ADVISORIES