A remove buffer overflow in IBM Tivoli ManagedNode v3.6.x through 3.7.1 allows attackers to crash the spider process or execute arbitrary code on TMR ManagedNotes. An overly long GET request results in a buffer overflow with registers being overwritten with user supplied data, resulting in code execution as SYSTEM on NT or root on Unix. Tested on Solaris 8 (Sparc).
8cfc7d24ca4e2b6ff9a79befe4e32557c6ab3305892f9376b8d975a511dce55c
IBM Tivoli Management Framework Buffer Overflow (ManagedNode)
Announcement date: 15th July 2002
Reference: ptl-2002-05
Advisory Details
----------------
Product: IBM Tivoli Management Framework
Vulnerable versions: 3.6.x through 3.7.1
Vulnerability Type : Buffer Overflow
Platforms: All
Vendor-URL: http://www.tivoli.com
Vendor-Status: A fix is forthcoming in Version 4.1. A workaround is
available for earlier versions.
Remote-Exploit: Yes
Overview
--------
A remote buffer overflow condition exists in the webserver (default port
94 but redirects to another port) running on TMR ManagedNodes. This
results in a denial of service and the possibility of arbitrary code
execution.
Description
-----------
An overly long GET request results in a buffer overflow, with registers
being overwritten with user supplied data.
This results in the TMR ManagedNode HTTPd daemon crashing (Spider
process) and allows arbitrary code to be executed as a privileged user
(SYSTEM on NT or root on Unix). The loss of the spider process will
prevent all http requests to that ManagedNode, but does not impact all
other Framework or application functions.
Tested on: Solaris8 (Sparc).
Fix
---
Apply workaround.
Vendor status
-------------
Tivoli were notified 12 April 2002.
Vendor has released a security alert with details of patches and
workarounds. See http://www.tivoli.com/secure/support/documents/security
/mgt-fwk-http-vul.html
Credit
------
Discovered by
Mark Rowe ( mark.rowe@pentest-limited.com)
Jeff Fay ( jeff@sdii.com )