IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1 Multiple Remote Code Execution Vulnerabilities

IBM Tivoli Provisioning Manager soapServlet SOAP Message Printer.getPrinterAgentKey SQL Injection Vulnerability This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability. The specific flaw exists due to improperly escaped user input for an SQL query in the SoapServlet servlet. The resulting SQL injection allows a remote attacker to read data from the database including the SHA1 160 bits encrypted admin password. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account. IBM Tivoli Provisioning Manager Isig.isigCtl.1 ActiveX Control Remote Code Execution Vulnerability This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express 4.1.1 Isig.isigCtl.1 ActiveX Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way the ActiveX Control parses data supplied to the RunAndUploadFile function. The ActiveX control is used to create an Asset Information file for the local system to be uploaded to the IBM Tivoli Provisioning Manager Express Server. Due to an unsafe call to strcat it is possible to cause a stack buffer overflow allowing for remote code execution under the context of the current user. IBM Tivoli Provisioning Manager User.updateUserValue() SQL Injection Vulnerability This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability. The specific flaw exists due to improperly escaped user input for an SQL query in the register.do servlet. The resulting SQL injection allows a remote attacker to update their account rights to an admin level. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account. IBM Tivoli Provisioning Manager User.isExistingUser() SQL Injection Vulnerability This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability. The specific flaw exists due to improperly escaped user input for an SQL query in the logon.do servlet. The resulting SQL injection allows a remote attacker to read data from the database including the SHA1 160 bits encrypted admin password. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account. IBM Tivoli Provisioning Manager Asset.getHWKey() SQL Injection Vulnerability This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability. The specific flaw exists due to improperly escaped user input for an SQL query in the CallHomeExec servlet. The resulting SQL injection allows a remote attacker to read data from the database including the SHA1 160 bits encrypted admin password. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account. IBM Tivoli Provisioning Manager Asset.getMimeType() SQL Injection Vulnerability This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Provisioning Manager Express for Software Distribution. Authentication is not required to exploit this vulnerability. The specific flaw exists due to improperly escaped user input for an SQL query in the getAttachment servlet. The resulting SQL injection allows a remote attacker to read data from the database including the SHA1 160 bits encrypted admin password. With the admin account it is possible to upload file to the webserver and execute code under the SYSTEM account.