cbcvebase.
CVE-2008-4828
published 2009-05-05

CVE-2008-4828: Multiple stack-based buffer overflows in dsmagent.exe in the Remote Agent Service in the IBM Tivoli Storage Manager (TSM) client 5.1.0.0 through 5.1.8.2…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.47%
99.3th percentile
Multiple stack-based buffer overflows in dsmagent.exe in the Remote Agent Service in the IBM Tivoli Storage Manager (TSM) client 5.1.0.0 through 5.1.8.2, 5.2.0.0 through 5.2.5.3, 5.3.0.0 through 5.3.6.4, and 5.4.0.0 through 5.4.1.96, and the TSM Express client 5.3.3.0 through 5.3.6.4, allow remote attackers to execute arbitrary code via (1) a request packet that is not properly parsed by an unspecified "generic string handling function" or (2) a crafted NodeName in a dicuGetIdentifyRequest request packet, related to the (a) Web GUI and (b) Java GUI.

Affected

19 ranges
VendorProductVersion rangeFixed in
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_client
ibmtivoli_storage_manager_express
ibmtivoli_storage_manager_express
ibmtivoli_storage_manager_express

Detection & IOCsextracted from sources · hover to see the quote

processdsmagent.exe
port1582
port1581
commanddicuGetIdentifyRequest with long NodeName parameter
  • Detect exploitation attempts by monitoring for oversized NodeName fields in dicuGetIdentifyRequest packets sent to the RCA service on TCP port 1582.
  • Monitor for connections to the CAD service followed immediately by a connection to the RCA service (port 1582), as the exploit first contacts CAD to start RCA and retrieve its port.
  • Alert on SEH-based shellcode execution originating from dsmagent.exe, consistent with EXITFUNC=seh used by the Metasploit module.
  • Flag payloads with StackAdjustment of -3500 bytes targeting dsmagent.exe on Windows platforms, as used by the public exploit module.
  • Null bytes (0x00) are bad characters for the payload; any exploit traffic to port 1582 containing a very large non-null NodeName field (up to ~2052 bytes) should be treated as suspicious.
  • ·The RCA service does not restart after being exploited or crashed; a failed exploit attempt will permanently disable the service until manually restarted.
  • ·The public Metasploit module targets only IBM Tivoli Storage Manager Express 5.3.6.2 using a hardcoded return address from dbghelp.dll v6.0.17.0 (shipped with TSM Express and not kept up-to-date); other versions may require different offsets.
  • ·The vulnerability also affects the Web GUI and Java GUI attack surfaces, not only the RCA service, broadening the attack surface beyond port 1582.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.