Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25329
HistoryDec 15, 2010 - 12:00 a.m.

Kryptos Logic Advisory: IBM Tivoli Storage Manager (TSM) Local Root

2010-12-1500:00:00
vulners.com
18
JSON

http://www.kryptoslogic.com/advisories/2010/kryptoslogic-ibm-tivoli-dsmtca.txt
http://www.kryptoslogic.com/advisories/2010/kryptoslogic-ibm-tivoli-dsmtca-exploit.c

==-===-=====-=======-===========-=============-=================

      IBM Tivoli Storage Manager (TSM) Local Root

            Kryptos Logic, December 2010

==-===-=====-=======-===========-=============-=================

=====[ Timeline

Vendor Contacted…: 2009-12-14
Fix from Vendor…: 2010-12-14
Advisory Published…: 2010-12-15

=====[ Affected Versions

Vulnerable:
IBM TSM 6.1: 6.1.0.0 through 6.1.3.0
IBM TSM 5.5: 5.5.0.0 through 5.5.2.7
IBM TSM 5.4: 5.4.0.0 through 5.4.3.3
IBM TSM 5.3: 5.3.0.0 through 5.3.6.7

  • Potentially older versions of IBM TSM dsmtca

Not vulnerable:
IBM TSM 6.1.4
IBM TSM 5.5.3
IBM TSM 5.4.3.4
IBM TSM 5.3.6.10

See IBM advisory IC65491 for details:
http://www.ibm.com/support/docview.wss?uid=swg21454745

=====[ Vulnerability

When IBM TSM communicates with the suid root backup
client
dsmtca, it is handled through pipes. The function
GeneratePassword() does not perform boundary checking,
which can
lead to a classic stack based buffer overflow - making
local
code execution possible.

=====[ Exploitation

The LANG environment variable gets copied to a fixed
location in
memory. An attacker can achieve arbitrary code execution
by
placing his shellcode in the variable, and then
overwrite the
return address of GeneratePassword() with the known
address that
the value is copied to.

=====[ Credits

Discovered by Peter Wilhelmsen and Daniel Kalici,
Kryptos Logic.
Exploit developed by Peter Wilhelmsen and Morten Shearman
Kirkegaard, Kryptos Logic.

=====[ About Kryptos Logic

Kryptos Logic is a group of talented computer security
experts
from around the globe that has coalesced into a highly
effective
team. We provide a wide range of security products
ranging from
binary analysis, instrusion management systems,
anti-piracy, and
digital rights management software. We also perform
state-of-the-art research on emerging attack vectors and
threats
to current digital infrastructure.

http://www.kryptoslogic.com/

JSON