CVE-2008-4828
published 2009-05-05CVE-2008-4828: Multiple stack-based buffer overflows in dsmagent.exe in the Remote Agent Service in the IBM Tivoli Storage Manager (TSM) client 5.1.0.0 through 5.1.8.2…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.47%
99.3th percentile
Multiple stack-based buffer overflows in dsmagent.exe in the Remote Agent Service in the IBM Tivoli Storage Manager (TSM) client 5.1.0.0 through 5.1.8.2, 5.2.0.0 through 5.2.5.3, 5.3.0.0 through 5.3.6.4, and 5.4.0.0 through 5.4.1.96, and the TSM Express client 5.3.3.0 through 5.3.6.4, allow remote attackers to execute arbitrary code via (1) a request packet that is not properly parsed by an unspecified "generic string handling function" or (2) a crafted NodeName in a dicuGetIdentifyRequest request packet, related to the (a) Web GUI and (b) Java GUI.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_client | — | — |
| ibm | tivoli_storage_manager_express | — | — |
| ibm | tivoli_storage_manager_express | — | — |
| ibm | tivoli_storage_manager_express | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for oversized NodeName fields in dicuGetIdentifyRequest packets sent to the RCA service on TCP port 1582. ↗
- →Monitor for connections to the CAD service followed immediately by a connection to the RCA service (port 1582), as the exploit first contacts CAD to start RCA and retrieve its port. ↗
- →Alert on SEH-based shellcode execution originating from dsmagent.exe, consistent with EXITFUNC=seh used by the Metasploit module. ↗
- →Flag payloads with StackAdjustment of -3500 bytes targeting dsmagent.exe on Windows platforms, as used by the public exploit module. ↗
- →Null bytes (0x00) are bad characters for the payload; any exploit traffic to port 1582 containing a very large non-null NodeName field (up to ~2052 bytes) should be treated as suspicious. ↗
- ·The RCA service does not restart after being exploited or crashed; a failed exploit attempt will permanently disable the service until manually restarted. ↗
- ·The public Metasploit module targets only IBM Tivoli Storage Manager Express 5.3.6.2 using a hardcoded return address from dbghelp.dll v6.0.17.0 (shipped with TSM Express and not kept up-to-date); other versions may require different offsets. ↗
- ·The vulnerability also affects the Web GUI and Java GUI attack surfaces, not only the RCA service, broadening the attack surface beyond port 1582. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM Tivoli Storage Manager Express RCA Service - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-4828 IBM Tivoli Storage Manager Express RCA Service - Remote Buffer Overflow (Metasploit)
IBM Tivoli Storage Manager Express RCA Service - Remote Buffer Overflow (Metasploit)
---
##
# $Id: ibm_tsm_rca_dicugetidentify.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IBM Tivoli Storage Manager Express RCA Service Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote
Client Agent service. By sending a "dicuGetIdentify" request packet containing a long
NodeName parameter, an attacker can execute arbitrary code.
NOTE: t
Metasploit
IBM Tivoli Storage Manager Express RCA Service Buffer Overflow
metasploit
IBM Tivoli Storage Manager Express RCA Service Buffer Overflow
IBM Tivoli Storage Manager Express RCA Service Buffer Overflow
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote Client Agent service. By sending a "dicuGetIdentify" request packet containing a long NodeName parameter, an attacker can execute arbitrary code. NOTE: this exploit first connects to the CAD service to start the RCA service and obtain the port number on which it runs. This service does not restart.
http://osvdb.org/54231http://osvdb.org/54232http://secunia.com/advisories/32604http://secunia.com/secunia_research/2008-55/http://www-01.ibm.com/support/docview.wss?uid=swg21384389http://www-1.ibm.com/support/docview.wss?uid=swg1IC59513http://www.securityfocus.com/archive/1/503182/100/0/threadedhttp://www.vupen.com/english/advisories/2009/1235https://exchange.xforce.ibmcloud.com/vulnerabilities/50327http://osvdb.org/54231http://osvdb.org/54232http://secunia.com/advisories/32604http://secunia.com/secunia_research/2008-55/http://www-01.ibm.com/support/docview.wss?uid=swg21384389http://www-1.ibm.com/support/docview.wss?uid=swg1IC59513http://www.securityfocus.com/archive/1/503182/100/0/threadedhttp://www.vupen.com/english/advisories/2009/1235https://exchange.xforce.ibmcloud.com/vulnerabilities/50327
2009-05-05
Published