SO (ECL) 355428 flexlm

[XX.XX () sun co uk (XX XX - Sun UK - Answer Centre)]

Bob,
      You are right, and this is a known bug (id 1101580)
The problem is that Flexlm is not a Sun controlled product and Highland
claim it does what customers want ..

In fact I have very quickly worked out that what lmdown does is check your uid
is zero in the /etc/passwd file. So if some clever person either
a) knew where to patch the binary, or
b) knew what the flex protocol was and how to spoof it..

 they probably don't even need to be root.
I simply added an entry for my username in the passwd file as uid=0 but
did not su and was able to lmdown.

Not good but I'm not sure that the knowledge for either of these is publically
available.

Anyway the sad story is that Highland seem to have said no to a fix!

I suspect that 'cos of multiple license servers that it has to be a networked
solution and they want it to work on a lot of platforms without much change.
Also although its malicious its probably not harmful - at least for compilers,
and anyone can restart the lmgrd if its not running.

I would suggest using a non-standard port (not 1700) as a partial measure
so that someone would have to work that out too and they'd have to be able to
see your license file to do that.
So restrict your NFS exports to an authorised group and other such prudent
measures.



----- End of included message. -----


I would be interested in what people do to protect themselves from this
attack if it is a well-known problem.

I mailed Highland via the only e-mail address I could find for them
(flexlm () hisoft infocomm com) but haven't had a reply.

--------
Bob Dowling:                    UNIX Support,
                                University of Cambridge Computing Service,
rjd4 () ucs cam ac uk              New Museums Site, Pembroke Street,
+44 223 334728                  Cambridge, UK.  CB2 3QG.