IBM Cognos TM1 and Express Admin Server Buffer Overflow

2012-12-27T00:00:00
ID SAINT:2D4150F3759B64CF0C0BDC3649585830
Type saint
Reporter SAINT Corporation
Modified 2012-12-27T00:00:00

Description

Added: 12/27/2012
CVE: CVE-2012-0202
BID: 52847
OSVDB: 80876

Background

IBM Cognos TM1 is enterprise planning software for planning, budgeting, forecasting and analysis.

IBM Cognos Express is an integrated business intelligence (BI) and planning solution which delivers the essential reporting, analysis, dashboard, scorecard, planning, budgeting and forecasting capabilities that midsize companies need.

Problem

The TM1 Admin Server (tm1admsd.exe) that ships with IBM Cognos TM1 versions 9.5.x prior to 9.5.2 FP2 and 9.4.1 and IBM Cognos Express versions 9.5 and 9.0 is vulnerable to a buffer overflow because it does not check the size of the data being sent to it. This could permit a remote malicious attacker to run arbitrary code in the context of the Admin Server process.

Resolution

Apply the relevant patches referenced in the IBM Security Bulletins: IBM Cognos TM1 Admin Server vulnerabilities and IBM Cognos Express Admin Server vulnerabilities.

References

<http://www.zerodayinitiative.com/advisories/ZDI-12-101/>

Limitations

This exploit was tested against IBM Cognos Express 9.5 on Windows XP SP3 English (DEP OptIn).

Exploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from <http://www.cpan.org/modules/by-module/IO/>.

Platforms

Windows