cbcvebase.
CVE-2007-4880
published 2007-09-28

CVE-2007-4880: Buffer overflow in the Client Acceptor Daemon (CAD), dsmcad.exe, in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.94%
99.5th percentile
Buffer overflow in the Client Acceptor Daemon (CAD), dsmcad.exe, in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2 allows remote attackers to execute arbitrary code via crafted HTTP headers, aka IC52905.

Affected

8 ranges
VendorProductVersion rangeFixed in
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client

Detection & IOCsextracted from sources · hover to see the quote

processdsmcad.exe
port1581
port4444
commandGET /BACLIENT HTTP/1.0 Host: 192.168.1.1 <overflow buffer>
commandGET /BACLIENT HTTP/1.1 Host: 127.0.0.1 <overflow buffer>
url/BACLIENT
other0x0289fbe3
bytes
\x38\x07\xD2\x77
  • Detect exploit attempts by monitoring for oversized HTTP Host headers in requests to TCP port 1581 targeting the /BACLIENT URI path, which is the attack vector for this CAD service buffer overflow.
  • Alert on GET requests to /BACLIENT on port 1581 where the Host header value exceeds ~190 bytes, consistent with the overflow trigger.
  • Monitor for unexpected outbound bind-shell connections on port 4444 from the dsmcad.exe process following inbound connections on port 1581.
  • The payload uses bad characters \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c; network signatures should look for long alpha-encoded shellcode blobs in the Host header of HTTP requests to port 1581.
  • The exploit uses EXITFUNC=seh, so look for SEH-chain overwrites in crash dumps or exception handler telemetry from dsmcad.exe.
  • ·The JMP ESP ROP gadget address (0x77D20738 in User32.dll) is specific to Windows 2000 SP0 EN; the Metasploit module uses a different return address (0x0289fbe3 in dbghelp.dll) targeting TSM Express 5.3.3 on Windows 2003 Server SP0. Signatures relying on these hardcoded addresses will not generalise across OS/patch levels.
  • ·Vulnerable versions are TSM clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2; detection rules should be scoped to hosts running these specific version ranges.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.