|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=641
|
| |
Vulnerable Systems:
* TIBCO SmartSockets version 6.8.0
When processing requests, SmartSockets uses values from the requests to control the number of iterations of several loops. Inside these loops, various memory operations are performed. Since attackers can control these values, potentially exploitable conditions arise.
Analysis:
Exploitation allows an attacker to execute arbitrary code with SYSTEM privileges. Unsuccessful attempts will likely crash the RTserver. The service does not restart, which makes repeated exploitation attempts more difficult.
The RTserver is the core component of the SmartSockets framework. Without it, applications will be unable to pass messages. The severity of these issues will likely vary depending on the the application using the SmartSockets framework.
Vendor response:
TIBCO has addressed these vulnerabilities by releasing new versions of their software. For more information, consult their advisory at the following URL: http://www.tibco.com/mk/advisory.jsp
CVE Information:
CVE-2007-5656
Disclosure Timeline:
10/23/2007 - Initial vendor notification
12/04/2007 - Second vendor notification
12/05/2007 - Initial vendor response
01/15/2008 - Public disclosure
|
|
|
|
|
