IBM Tivoli Storage Manager Express Heap Buffer Overflow Vulnerability
16 Mar. 2009
Summary
IBM Corp.'s Tivoli Storage Manager Express is "a simple backup management software targeting small business customer". Remote exploitation of a heap buffer overflow vulnerability in IBM Corp.'s Tivoli Storage Manager Express backup server could allow an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
Vulnerable Systems:
* Tivoli Storage Manager Express version 5.3.7.3 with adsmdll.dll version 5.3.7.7296
The vulnerability exists within adsmdll.dll which is loaded by the Tivoli Storage Manager Express daemon dsmsvc.exe. The vulnerable function allocates a fixed-size heap buffer, and uses part of this buffer for storing session related data. A user-supplied value is then used as the length of bytes to copy into this buffer. Due to a lack of bounds checking, a buffer overflow can occur.
Analysis:
Exploitation allows an attacker to execute arbitrary code with SYSTEM privileges. No authentication is required to exploit this vulnerability.
Vendor response:
IBM Corp,'s Tivoli team has released patches and workarounds to address this vulnerability. For more information, consult their advisory at the following URL. http://www-01.ibm.com/support/docview.wss?uid=swg21377388
Disclosure timeline:
03/10/2008 - Coordinated public disclosure
03/10/2008 - Status update received
03/10/2008 - Status updated requested
07/22/2008 - Initial Contact
07/31/2008 - Initial Response
07/31/2008 - PoC Requested
07/31/2008 - PoC Sent
09/02/2008 - Status update received - no estimated release date
09/12/2008 - Status update received - no estimated release date
09/23/2008 - Status update received - estimated release date February 2009
