[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 804/06 - TSRT-06-14: IBM Tivoli Storage Manager Mutiple Buffer Overflow Vulnerabilities

Hash: SHA1


 UNIRAS (UK Government CERT) Briefing - 804/06 dated 06.12.06 time 13:45
 UNIRAS is part of NISCC (the UK National Infrastructure Security
 Co-ordination Centre)

 UNIRAS material is available from the NISCC website at www.niscc.gov.uk


TSRT-06-14: IBM Tivoli Storage Manager Mutiple Buffer Overflow Vulnerabilities
December 4, 2006


- --- CVE ID:

- --- Affected Vendor:

- --- Affected Products:
Tivoli Storage Manager <5.2.9
Tivoli Storage Manager <5.3.4

- --- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since 
April 3, 2006 by Digital Vaccine protection filter ID 4248. For further product 
information on the TippingPoint IPS:


- --- Vulnerability Details:
These vulnerabilities allow attackers to execute arbitrary code on vulnerable 
installations of IBM Tivoli Storage Manager. Authentication is not required to 
exploit these vulnerabilities.

The specific flaws are similar and exist in the processing of messages by the 
Tivoli Storage Manager service, bound on TCP port 1500. The messages are 
structured in the form [index][size]. The 'index' field specifies an integer 
offset into the body of the message for a specific field, and the 'size' field 
specifies the size of the indexed field.

As no validation is done on the index fields, an attacker can force the service 
to look beyond the end of the packet, often landing in unallocated memory and 
resulting in a denial of service.

The size fields are often checked to ensure they do not exceed the bounds of 
the destination buffers that data is being copied to. However, we have found 
the following four instances where the size files are left unchecked:

Overflow 1
The initial sign-on request contains a field to specify the language.
In normal cases we've seen, this string is dscenu.txt. Typically the server 
will validate that the language string is no longer than 0x100 bytes. However, 
if the first byte of the language string is 0x18, this check will not occur, 
and a fixed sized buffer will be overrun.

Overflows 2 and 3
There is an overflow vulnerability in messages processed by the SmExecuteWdsfSession 
function. There are two fields in this request, both are copied into fixed 
sized buffers, without any validation of their lengths.

Overflow 4
There is an overflow in the open registration message due to an unchecked copy 
into a fixed size buffer for the contact field of the registration.

All four of the above detailed overflows can lead to arbitrary code execution 
under the context of the Tivoli service.

- --- Vendor Response:
IBM has issued an update to correct this vulnerability. More details can be 
found at:


- --- Disclosure Timeline:
2006.04.03 - Digital Vaccine released to TippingPoint customers
2006.05.09 - Vulnerability reported to vendor
2006.12.04 - Coordinated public release of advisory

- --- Credit:
This vulnerability was discovered by the TippingPoint Security Research Team.

- --- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security researchers for 
responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the 
ZDI can find more information and sign-up at:


The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its customers 
with zero day protection through its intrusion prevention technology. Explicit 
details regarding the specifics of the vulnerability are not exposed to any parties 
until an official vendor patch is publicly available. Furthermore, with the altruistic 
aim of helping to secure a broader user base, 3Com provides this vulnerability 
information confidentially to security vendors (including competitors) who have 
a vulnerability protection or mitigation product.


NISCC values your feedback.

1. Which of the following most reflects the value of the briefing to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__ 

2. If you did not find it useful, why not?

3. Any other comments? How could we improve our briefings?

Thank you for your contribution.

For additional information or assistance, please contact our help desk
by telephone.  You may send Not Protectively Marked information via
e-mail to uniras@xxxxxxxxxxxxx

Office hours:

Mon - Fri: 08:30 - 17:00 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts


UNIRAS wishes to acknowledge the contributions of IBM for the
information contained in this briefing.

This notice contains information released by the original author.
Some of the information may have changed since it was released. If the
vulnerability affects you, it may be prudent to retrieve the advisory
from the site of the original source to ensure that you receive the most
current information concerning that problem.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute or
imply its endorsement, recommendation, or favouring by UNIRAS or NISCC.
The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall not be liable for any loss or damage whatsoever, arising from or
in connection with the usage of information contained within this

UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response
Teams (IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.

<End of UNIRAS Briefing>

Version: PGP 8.1


This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email