CVE-2007-1868
published 2007-04-04CVE-2007-1868: The management service in IBM Tivoli Provisioning Manager for OS Deployment before 5.1 Fix Pack 2 does not properly handle multipart/form-data in HTTP POST…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
59.34%
99.0th percentile
The management service in IBM Tivoli Provisioning Manager for OS Deployment before 5.1 Fix Pack 2 does not properly handle multipart/form-data in HTTP POST requests, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via crafted POST requests to port 8080/tcp or 443/tcp.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | tivoli_provisioning_manager_os_deployment | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x64\x8b\x0d\x30\x00\x00\x00\x83\xb9\xa4\x00\x00\x00\x05\x75\x30\x83\xb9\xa8\x00\x00\x00\x02\x75\x27\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00\x76\x1b
- →Detect exploit attempts by monitoring HTTP POST requests containing multipart/form-data to ports 8080/tcp and 443/tcp targeting IBM Tivoli Provisioning Manager for OS Deployment (rembo.exe process). ↗
- →Monitor for oversized or malformed Authorization: Basic headers (~2800 bytes of alphanumeric data) in HTTP requests to the management service, as the exploit places a 2800-byte payload in the Basic auth header. ↗
- →The exploit payload contains bad characters including null bytes and common URL metacharacters; look for HTTP requests with large Authorization: Basic values that avoid these characters: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c. ↗
- →The exploit targets rembo.exe (IBM TPM for OS Deployment 5.1.0.x) and uses return addresses from ATL.dll on Windows 2003 targets (image base 0x76a80000). Presence of ATL.dll loaded at that base in the rembo.exe process space may indicate a vulnerable configuration. ↗
- →The exploit uses EXITFUNC=process and a stack adjustment of -3500 bytes; anomalous stack pointer manipulation in rembo.exe may indicate exploitation in progress. ↗
- ·The Metasploit module defaults to SSL on port 443; defenders should ensure SSL/TLS inspection is enabled on port 443 to detect exploit traffic, not just port 8080. ↗
- ·The NX-disable prepend stub only executes on Windows 2003 SP1+ (BuildVersion > 0xece); detection logic should account for platform-specific payload variants. ↗
- ·The exploit payload space is limited to 0x200 (512) bytes; payloads larger than this will not fit and the exploit will fail, which may affect detection of shellcode within the Authorization header. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM TPM for OS Deployment 5.1.0.x - 'rembo.exe' Remote Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2007-1868 IBM TPM for OS Deployment 5.1.0.x - 'rembo.exe' Remote Buffer Overflow (Metasploit)
IBM TPM for OS Deployment 5.1.0.x - 'rembo.exe' Remote Buffer Overflow (Metasploit)
---
##
# $Id: ibm_tpmfosd_overflow.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow',
'Description' => %q{
This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager
for OS Deployment version 5.1.0.X.
},
'Author' => 'toto',
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2007-1868'],
[ 'OSVDB', '34678'],
[
Exploit-DB
CJG EXPLORER PRO 3.2 - 'g_pcltar_lib_dir' Remote File Inclusion
exploitdb·2007-05-13
CVE-2007-2660 CJG EXPLORER PRO 3.2 - 'g_pcltar_lib_dir' Remote File Inclusion
CJG EXPLORER PRO 3.2 - 'g_pcltar_lib_dir' Remote File Inclusion
---
#######################S==A==U==D==I#########################
CJG EXPLORER PRO v3.2 (pcltar.lib.php)(pcltrace.lib.php) Remote File
Include Vulnerabilities
##############################################################
Found By : Mogatil , [email protected]
##############################################################
Script Site :
http://www.zascom.com/download/PHP/1868-CEP-PHP.ZIP
##############################################################
File : /pcltar.lib.php
include($g_pcltar_lib_dir."/pclerror.lib.php");
File : /pcltrace.lib.php
include($g_pcltar_lib_dir."/pclerror.lib.php");
##############################################################
Thanx: [cold zero] [gawey Al Azary] [crazy man] [scorbion_22]
[the_
Metasploit
IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow
metasploit
IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow
IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow
This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager for OS Deployment version 5.1.0.X.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=498http://secunia.com/advisories/24717http://www-1.ibm.com/support/docview.wss?uid=swg24015347http://www.securityfocus.com/bid/23264http://www.securitytracker.com/id?1017840http://www.vupen.com/english/advisories/2007/1199https://exchange.xforce.ibmcloud.com/vulnerabilities/33384http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=498http://secunia.com/advisories/24717http://www-1.ibm.com/support/docview.wss?uid=swg24015347http://www.securityfocus.com/bid/23264http://www.securitytracker.com/id?1017840http://www.vupen.com/english/advisories/2007/1199https://exchange.xforce.ibmcloud.com/vulnerabilities/33384
2007-04-04
Published