IBM Tivoli Storage Manager FastBack Mount Service Code Execution

2010-10-18T00:00:00
ID SAINT:E961E59B02D92A74FA076DC7E4221155
Type saint
Reporter SAINT Corporation
Modified 2010-10-18T00:00:00

Description

Added: 10/18/2010
CVE: CVE-2010-3058
BID: 42549
OSVDB: 67292

Background

IBM Tivoli Storage Manager (TSM) provides centralized management for automated backup and restoration operations. TSM includes FastBack, which provides a client/server backup solution for the MS Windows environment. FastBack Mount can be used to mount any snapshot and use it to complete data recovery. The mount service, FastBackMount.exe, listens on ports 30005/UDP and 30051/TCP, by default.

Problem

The FastBack Mount interface allows the specification of a valid repository volume and identifiers for the snapshot to be mounted on the repository volume. A memory corruption vulnerability exists in TSM FastBack Mount service due to an input validation error while parsing crafted mount requests sent to the service on its UDP port.

Resolution

Apply a security fix.

References

<http://secunia.com/advisories/41044>
<http://www.zerodayinitiative.com/advisories/ZDI-10-179/>

Limitations

Exploit works on Tivoli Storage Manager FastBack 6.1.0.

The exploit script will connect to port 30051/TCP to do heap-spraying on the target before connecting to port 30005/UDP.

Platforms

Windows