IBM Cognos TM1 and Express Admin Server Buffer Overflow

2012-12-2700:00:00

SAINT Corporation

download.saintcorporation.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.97

Percentile

99.8%

JSON

Added: 12/27/2012
CVE: CVE-2012-0202
BID: 52847
OSVDB: 80876

Background

IBM Cognos TM1 is enterprise planning software for planning, budgeting, forecasting and analysis.

IBM Cognos Express is an integrated business intelligence (BI) and planning solution which delivers the essential reporting, analysis, dashboard, scorecard, planning, budgeting and forecasting capabilities that midsize companies need.

Problem

The TM1 Admin Server (tm1admsd.exe) that ships with IBM Cognos TM1 versions 9.5.x prior to 9.5.2 FP2 and 9.4.1 and IBM Cognos Express versions 9.5 and 9.0 is vulnerable to a buffer overflow because it does not check the size of the data being sent to it. This could permit a remote malicious attacker to run arbitrary code in the context of the Admin Server process.

Resolution

Apply the relevant patches referenced in the IBM Security Bulletins: IBM Cognos TM1 Admin Server vulnerabilities and IBM Cognos Express Admin Server vulnerabilities.

References

<http://www.zerodayinitiative.com/advisories/ZDI-12-101/>

Limitations

This exploit was tested against IBM Cognos Express 9.5 on Windows XP SP3 English (DEP OptIn).

Exploit requires the IO-Socket-SSL PERL module to be installed on the scanning host. This module is available from <http://www.cpan.org/modules/by-module/IO/>.