cbcvebase.
CVE-2011-1220
published 2011-06-02

CVE-2011-1220: Stack-based buffer overflow in lcfd.exe in Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 allows remote authenticated users to…

PriorityP268critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
62.66%
99.1th percentile
Stack-based buffer overflow in lcfd.exe in Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 allows remote authenticated users to execute arbitrary code via a long opts field.

Affected

4 ranges
VendorProductVersion rangeFixed in
ibmtivoli_management_framework
ibmtivoli_management_framework
ibmtivoli_management_framework
ibmtivoli_management_framework

Detection & IOCsextracted from sources · hover to see the quote

processlcfd.exe
port9495
othertivoli:boss
other0x77d80787
other0x77403680
other0x77402680
commandHTTP POST /addr with Authorization: Basic <base64(tivoli:boss)> and oversized POST body variable
  • Detect oversized HTTP POST requests to TCP port 9495 targeting lcfd.exe; the exploit sends a POST with a body variable padded to at least 256+ NOP bytes to trigger the stack buffer overflow.
  • Alert on HTTP Basic Authentication using the hardcoded credential 'tivoli:boss' (Base64: dGl2b2xpOmJvc3M=) on port 9495; presence of this Authorization header is a strong exploitation indicator.
  • Monitor for POST requests to port 9495 where the POST body variable value length is anomalously large (exploit uses 256+ NOP sled plus payload up to 400 bytes of shellcode).
  • Flag exploit attempts using known JMP ESP return addresses in user32.dll on Windows Server 2003: 0x77d80787 (SP0), 0x77403680 (SP1), 0x77402680 (SP2).
  • Bad characters in payload are null byte, carriage return, and line feed (\x00\x0d\x0a); any POST body to port 9495 containing long runs of repeated bytes excluding these should be treated as suspicious.
  • ·Exploitation requires authentication; however, the hardcoded credential 'tivoli/boss' effectively makes this unauthenticated for unpatched systems, so treat it as a remotely exploitable unauthenticated vulnerability in practice.
  • ·The exploit targets Windows Server 2003 SP0/SP1/SP2 specifically; return addresses are hardcoded to user32.dll offsets for those platforms only.
  • ·Payload space is constrained to 400 bytes with a stack adjustment of -3500; shellcode must fit within these constraints.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.