IBM Tivoli Storage Manager (TSM) provides centralized management for automated backup and restoration operations. TSM includes FastBack, which provides a client/server backup solution for the MS Windows environment. FastBack Mount can be used to mount any snapshot and use it to complete data recovery. The mount service,
FastBackMount.exe, listens on ports 30005/UDP and 30051/TCP, by default.
The FastBack Mount interface allows the specification of a valid repository volume and identifiers for the snapshot to be mounted on the repository volume. A memory corruption vulnerability exists in TSM FastBack Mount service due to an input validation error while parsing crafted mount requests sent to the service on its UDP port.
Apply a security fix.
Exploit works on Tivoli Storage Manager FastBack 6.1.0.
The exploit script will connect to port 30051/TCP to do heap-spraying on the target before connecting to port 30005/UDP.