cbcvebase.
CVE-2007-1868
published 2007-04-04

CVE-2007-1868: The management service in IBM Tivoli Provisioning Manager for OS Deployment before 5.1 Fix Pack 2 does not properly handle multipart/form-data in HTTP POST…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
59.34%
99.0th percentile
The management service in IBM Tivoli Provisioning Manager for OS Deployment before 5.1 Fix Pack 2 does not properly handle multipart/form-data in HTTP POST requests, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via crafted POST requests to port 8080/tcp or 443/tcp.

Affected

1 ranges
VendorProductVersion rangeFixed in
ibmtivoli_provisioning_manager_os_deployment

Detection & IOCsextracted from sources · hover to see the quote

port8080/tcp
port443/tcp
processrembo.exe
commandPOST multipart/form-data crafted request to port 8080/tcp or 443/tcp
bytes
\x64\x8b\x0d\x30\x00\x00\x00\x83\xb9\xa4\x00\x00\x00\x05\x75\x30\x83\xb9\xa8\x00\x00\x00\x02\x75\x27\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00\x76\x1b
  • Detect exploit attempts by monitoring HTTP POST requests containing multipart/form-data to ports 8080/tcp and 443/tcp targeting IBM Tivoli Provisioning Manager for OS Deployment (rembo.exe process).
  • Monitor for oversized or malformed Authorization: Basic headers (~2800 bytes of alphanumeric data) in HTTP requests to the management service, as the exploit places a 2800-byte payload in the Basic auth header.
  • The exploit payload contains bad characters including null bytes and common URL metacharacters; look for HTTP requests with large Authorization: Basic values that avoid these characters: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c.
  • The exploit targets rembo.exe (IBM TPM for OS Deployment 5.1.0.x) and uses return addresses from ATL.dll on Windows 2003 targets (image base 0x76a80000). Presence of ATL.dll loaded at that base in the rembo.exe process space may indicate a vulnerable configuration.
  • The exploit uses EXITFUNC=process and a stack adjustment of -3500 bytes; anomalous stack pointer manipulation in rembo.exe may indicate exploitation in progress.
  • ·The Metasploit module defaults to SSL on port 443; defenders should ensure SSL/TLS inspection is enabled on port 443 to detect exploit traffic, not just port 8080.
  • ·The NX-disable prepend stub only executes on Windows 2003 SP1+ (BuildVersion > 0xece); detection logic should account for platform-specific payload variants.
  • ·The exploit payload space is limited to 0x200 (512) bytes; payloads larger than this will not fit and the exploit will fail, which may affect detection of shellcode within the Authorization header.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.