[NT] IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow
Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www-306.ibm.com/software/tivoli/products/prov-mgr-os-deploy/>
Tivoli Provisioning Manager for OS Deployment "provides an easy-to-use
console for remote deployment and management of operating systems. It
includes flexible alternatives for creating and managing operating system
cloned or scripted image installs. Tivoli Provisioning Manager for OS
Deployment can help significantly reduce the number of images required
across your environment and the effort required to manage those images".

A vulnerability allows remote attackers to execute arbitrary code on
systems with vulnerable installations of IBM Tivoli Provisioning Manager
for OS Deployment. Authentication is not required to exploit this
vulnerability.

DETAILS

The specific flaws exist in the handling of HTTP requests to the rembo.exe
service listening on TCP port 8080. Several components of an HTTP request
can be modified to trigger buffer overflows. For example, by supplying an
overly long filename an attacker is able to overflow a 150 byte stack
buffer and subsequently execute arbitrary code. The overflow occurs during
a string copy loop, shown here:

00431136 lea edi, [ebp+var_3C4] ; 150 byte stack buffer
...
00431148 stringcopy:
00431148 mov al, [edx] ; edx -> our data
0043114A add edx, 1
0043114D mov [edi], al ; edi -> stack buffer
0043114F add edi, 1
00431152 test al, al
00431154 jnz short stringcopy

The Host and Authorization fields are also vulnerable to similar
exploitable overflows.

Vendor Response:
IBM has issued an update to correct this vulnerability. More details can
be found at: <http://www-1.ibm.com/support/docview.wss?uid=swg24015664>
http://www-1.ibm.com/support/docview.wss?uid=swg24015664

Disclosure Timeline:
2006.12.18 - Vulnerability reported to vendor
2007.05.02 - Coordinated public release of advisory

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1868>
CVE-2007-1868


ADDITIONAL INFORMATION

The information has been provided by <mailto:TSRT@xxxxxxxx> Aaron
Portnoy, TippingPoint Security Research Team.
The original article can be found at:
<http://dvlabs.tippingpoint.com/advisory/TPTI-07-05>
http://dvlabs.tippingpoint.com/advisory/TPTI-07-05



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Winamp ID3v2 Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Winamp is vulnerable to a buffer overflow vulnerability when processing ... control the EAX register, ...
    (Securiteam)
  • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
    (Securiteam)
  • [UNIX] SCO Multiple Local Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges. ...
    (Securiteam)
  • [NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WordPad is "a word processing application that uses the MFC rich edit ... Remote exploitation of a buffer overflow vulnerability in Microsoft ... Microsoft Word format files into the Rich Text Format natively handled by ...
    (Securiteam)
  • [NT] Citrix Program Neighborhood Name Heap Corruption
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citrix Program Neighborhood Name Heap Corruption ... Exploitation of a heap overflow vulnerability in Citrix, ...
    (Securiteam)