CVE-2009-3853
published 2009-11-04CVE-2009-3853: Stack-based buffer overflow in the client acceptor daemon (CAD) scheduler in the client in IBM Tivoli Storage Manager (TSM) 5.3 before 5.3.6.7, 5.4 before…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.72%
98.3th percentile
Stack-based buffer overflow in the client acceptor daemon (CAD) scheduler in the client in IBM Tivoli Storage Manager (TSM) 5.3 before 5.3.6.7, 5.4 before 5.4.3, 5.5 before 5.5.2.2, and 6.1 before 6.1.0.2, and TSM Express 5.3.3.0 through 5.3.6.6, allows remote attackers to execute arbitrary code via crafted data in a TCP packet.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
| ibm | tivoli_storage_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
nCC header: [sploit.length, 0x26, 0xa5]
- →Monitor for TCP connections to port 1582 (IBM TSM CAD service default port) containing oversized 'ping' packets with a 4-byte header where bytes 2-3 are 0x26 and 0xa5. ↗
- →Alert on abnormally large TCP payloads sent to port 1582; the exploit constructs a payload exceeding 3000+ bytes (1024*3 padding plus shellcode) targeting the CAD ping handler. ↗
- →The exploit uses SEH-based exploitation (EXITFUNC=seh) with a pop/pop/ret gadget from dbghelp.dll v6.0.17.0 at 0x028495d3; look for SEH chain overwrites in dsmcad.exe crash dumps. ↗
- →The exploit targets a wchar_t buf[64] stack buffer; a stack-based overflow via a crafted TCP packet to the CAD scheduler on port 1582 with payload space of 380 bytes before the SEH record (offset 384) is the attack pattern. ↗
- ·The vulnerable code path is only reachable when the CAD service is in CadWaitingStatus=1 state, which requires the TSM server to be running; exploitation is not possible when the TSM server is offline. ↗
- ·The exploit payload has no bad characters, meaning no byte filtering is applied by the vulnerable service, which simplifies shellcode delivery. ↗
- ·The Metasploit module uses a large negative stack adjustment (-3500 bytes) to avoid clobbering the payload during execution; this is a characteristic artifact of the exploit's stack pivot. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM Tivoli Storage Manager Express CAD Service - Remote Buffer Overflow (Metasploit) (1)
exploitdb·2010-05-09
CVE-2009-3853 IBM Tivoli Storage Manager Express CAD Service - Remote Buffer Overflow (Metasploit) (1)
IBM Tivoli Storage Manager Express CAD Service - Remote Buffer Overflow (Metasploit) (1)
---
##
# $Id: ibm_tsm_cad_ping.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.
By sending a "ping" packet containing a long string, an attacker can execute arbitrary code.
NOTE: the dsmcad.exe service must be in a particular state (C
Metasploit
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
metasploit
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service. By sending a "ping" packet containing a long string, an attacker can execute arbitrary code. NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order for the vulnerable code to be reached. This state doesn't appear to be reachable when the TSM server is not running. This service does not restart.
No writeups or analysis indexed.
http://secunia.com/advisories/32534http://secunia.com/secunia_research/2008-51/http://securitytracker.com/id?1023136http://www-01.ibm.com/support/docview.wss?uid=swg1IC61036http://www-01.ibm.com/support/docview.wss?uid=swg21405562http://www.securityfocus.com/archive/1/507654/100/0/threadedhttp://www.vupen.com/english/advisories/2009/3132http://secunia.com/advisories/32534http://secunia.com/secunia_research/2008-51/http://securitytracker.com/id?1023136http://www-01.ibm.com/support/docview.wss?uid=swg1IC61036http://www-01.ibm.com/support/docview.wss?uid=swg21405562http://www.securityfocus.com/archive/1/507654/100/0/threadedhttp://www.vupen.com/english/advisories/2009/3132
2009-11-04
Published