cbcvebase.
CVE-2009-3853
published 2009-11-04

CVE-2009-3853: Stack-based buffer overflow in the client acceptor daemon (CAD) scheduler in the client in IBM Tivoli Storage Manager (TSM) 5.3 before 5.3.6.7, 5.4 before…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.72%
98.3th percentile
Stack-based buffer overflow in the client acceptor daemon (CAD) scheduler in the client in IBM Tivoli Storage Manager (TSM) 5.3 before 5.3.6.7, 5.4 before 5.4.3, 5.5 before 5.5.2.2, and 6.1 before 6.1.0.2, and TSM Express 5.3.3.0 through 5.3.6.6, allows remote attackers to execute arbitrary code via crafted data in a TCP packet.

Affected

24 ranges
VendorProductVersion rangeFixed in
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager
ibmtivoli_storage_manager

Detection & IOCsextracted from sources · hover to see the quote

port1582
processdsmcad.exe
other0x028495d3
bytes
nCC header: [sploit.length, 0x26, 0xa5]
  • Monitor for TCP connections to port 1582 (IBM TSM CAD service default port) containing oversized 'ping' packets with a 4-byte header where bytes 2-3 are 0x26 and 0xa5.
  • Alert on abnormally large TCP payloads sent to port 1582; the exploit constructs a payload exceeding 3000+ bytes (1024*3 padding plus shellcode) targeting the CAD ping handler.
  • The exploit uses SEH-based exploitation (EXITFUNC=seh) with a pop/pop/ret gadget from dbghelp.dll v6.0.17.0 at 0x028495d3; look for SEH chain overwrites in dsmcad.exe crash dumps.
  • The exploit targets a wchar_t buf[64] stack buffer; a stack-based overflow via a crafted TCP packet to the CAD scheduler on port 1582 with payload space of 380 bytes before the SEH record (offset 384) is the attack pattern.
  • ·The vulnerable code path is only reachable when the CAD service is in CadWaitingStatus=1 state, which requires the TSM server to be running; exploitation is not possible when the TSM server is offline.
  • ·The exploit payload has no bad characters, meaning no byte filtering is applied by the vulnerable service, which simplifies shellcode delivery.
  • ·The Metasploit module uses a large negative stack adjustment (-3500 bytes) to avoid clobbering the payload during execution; this is a characteristic artifact of the exploit's stack pivot.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.