TippingPoint Zero Day Initiative

IBM Tivoli Storage Manager Express Backup Server Heap Overflow Vulnerability

ZDI-08-001: January 14th, 2008

CVE ID

CVE-2008-0247

Affected Vendors

IBM

Affected Products

Tivoli Storage Manager Express

Vulnerability Details

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager Express. Authentication is not required to exploit this vulnerability.

The specific flaw resides in the TSM Express Backup Server service, dsmsvc.exe, which listens by default on TCP port 1500. The process trusts a user-supplied length value. By supplying a large number, an attacker can overflow a static heap buffer leading to arbitrary code execution in the context of the SYSTEM user.

Vendor Response

IBM has issued an update to correct this vulnerability. More details can be found at:

http://www-1.ibm.com/support/docview.wss?uid=swg21291536

Disclosure Timeline

2007-12-05 - Vulnerability reported to vendor
2008-01-14 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

Sebastian Apelt

Published Advisories

ZDI-08-025: Symantec

• published 2008-05-15

ZDI-08-024: Symantec

• published 2008-05-15

ZDI-08-023: Microsoft

• published 2008-05-13

ZDI-08-022: Apple

• published 2008-04-16

ZDI-08-021: Adobe

• published 2008-04-08

Upcoming Advisories

BMC Software

• reported 2008-05-08, 8 days ago

Microsoft

• reported 2008-04-16, 30 days ago

Microsoft

• reported 2008-04-16, 30 days ago

Novell

• reported 2008-04-08, 38 days ago

Novell

• reported 2008-04-08, 38 days ago

Recent Press

Apple Patches MacBook Air Hijack Flaw

• published 2008-04-16, eWeek

Three different hackers found 'Pwn To Own' bug

• published 2008-04-10, Computerworld

Are Security Researchers Targeting QuickTime?

• published 2008-04-04, InternetNews

Vista notebook falls in hacker challenge

• published 2008-03-30, ComputerWorld

Flash flaw leads to Vista laptop's fall

• published 2008-03-29, CNet