lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OF12856F00.34F1A3EF-ON882572CF.00764ACE-882572CF.007718A5@3com.com>
Date: Wed, 2 May 2007 14:40:51 -0700
From: TSRT@...m.com
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Cc: zdi-disclosures@...m.com
Subject: TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple
 Stack Overflow Vulnerabilities

TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple
            Stack Overflow Vulnerabilities
http://dvlabs.tippingpoint.com/advisory/TPTI-07-05
May  2, 2007

-- CVE ID:
CVE-2007-1868

-- Affected Vendor:
IBM

-- Affected Products:
Tivoli Provisioning Manager for OS Deployment

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
systems with vulnerable installations of IBM Tivoli Provisioning
Manager for OS Deployment. Authentication is not required to exploit
this vulnerability.

The specific flaws exist in the handling of HTTP requests to the
rembo.exe service listening on TCP port 8080. Several components of an
HTTP request can be modified to trigger buffer overflows. For example,
by supplying an overly long filename an attacker is able to overflow a
150 byte stack buffer and subsequently execute arbitrary code. The
overflow occurs during a string copy loop, shown here:

    00431136   lea   edi, [ebp+var_3C4] ; 150 byte stack buffer
    ...
    00431148 stringcopy:
    00431148   mov   al, [edx]          ; edx -> our data
    0043114A   add   edx, 1
    0043114D   mov   [edi], al          ; edi -> stack buffer
    0043114F   add   edi, 1
    00431152   test  al, al
    00431154   jnz   short stringcopy

The Host and Authorization fields are also vulnerable to similar
exploitable overflows.

-- Vendor Response:
IBM has issued an update to correct this vulnerability. More details can
be found at:

    http://www-1.ibm.com/support/docview.wss?uid=swg24015664

-- Disclosure Timeline:
2006.12.18 - Vulnerability reported to vendor
2007.05.02 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Aaron Portnoy, TippingPoint
Security Research Team.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ