CVE-2011-1220
published 2011-06-02CVE-2011-1220: Stack-based buffer overflow in lcfd.exe in Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 allows remote authenticated users to…
PriorityP268critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
62.66%
99.1th percentile
Stack-based buffer overflow in lcfd.exe in Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 allows remote authenticated users to execute arbitrary code via a long opts field.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | tivoli_management_framework | — | — |
| ibm | tivoli_management_framework | — | — |
| ibm | tivoli_management_framework | — | — |
| ibm | tivoli_management_framework | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandHTTP POST /addr with Authorization: Basic <base64(tivoli:boss)> and oversized POST body variable↗
- →Detect oversized HTTP POST requests to TCP port 9495 targeting lcfd.exe; the exploit sends a POST with a body variable padded to at least 256+ NOP bytes to trigger the stack buffer overflow. ↗
- →Alert on HTTP Basic Authentication using the hardcoded credential 'tivoli:boss' (Base64: dGl2b2xpOmJvc3M=) on port 9495; presence of this Authorization header is a strong exploitation indicator. ↗
- →Monitor for POST requests to port 9495 where the POST body variable value length is anomalously large (exploit uses 256+ NOP sled plus payload up to 400 bytes of shellcode). ↗
- →Flag exploit attempts using known JMP ESP return addresses in user32.dll on Windows Server 2003: 0x77d80787 (SP0), 0x77403680 (SP1), 0x77402680 (SP2). ↗
- →Bad characters in payload are null byte, carriage return, and line feed (\x00\x0d\x0a); any POST body to port 9495 containing long runs of repeated bytes excluding these should be treated as suspicious. ↗
- ·Exploitation requires authentication; however, the hardcoded credential 'tivoli/boss' effectively makes this unauthenticated for unpatched systems, so treat it as a remotely exploitable unauthenticated vulnerability in practice. ↗
- ·The exploit targets Windows Server 2003 SP0/SP1/SP2 specifically; return addresses are hardcoded to user32.dll offsets for those platforms only. ↗
- ·Payload space is constrained to 400 bytes with a stack adjustment of -3500; shellcode must fit within these constraints. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4c5c-mh4v-prwp: Tivoli Endpoint in IBM Tivoli Management Framework 3
ghsa_unreviewed·2022-05-14·CVSS 9.0
CVE-2011-2330 [CRITICAL] GHSA-4c5c-mh4v-prwp: Tivoli Endpoint in IBM Tivoli Management Framework 3
Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 has an unspecified "built-in account" that is "trivially" accessed, which makes it easier for remote attackers to send requests to restricted pages via a session on TCP port 9495, a different vulnerability than CVE-2011-1220.
GHSA
GHSA-45w9-36j2-4p58: Stack-based buffer overflow in lcfd
ghsa_unreviewed·2022-05-14
CVE-2011-1220 [HIGH] CWE-119 GHSA-45w9-36j2-4p58: Stack-based buffer overflow in lcfd
Stack-based buffer overflow in lcfd.exe in Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 allows remote authenticated users to execute arbitrary code via a long opts field.
No detection rules found.
Exploit-DB
IBM Tivoli Endpoint Manager - POST Query Buffer Overflow (Metasploit)
exploitdb·2011-06-12
CVE-2011-1220 IBM Tivoli Endpoint Manager - POST Query Buffer Overflow (Metasploit)
IBM Tivoli Endpoint Manager - POST Query Buffer Overflow (Metasploit)
---
##
# $Id: ibm_tivoli_endpoint_bof.rb 12925 2011-06-12 00:04:55Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IBM Tivoli Endpoint Manager POST Query Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the way IBM Tivoli
Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query
arguments.
This issue can be triggered by sending a specially crafted HTTP POST request to
the service (lcfd.exe) listenin
Metasploit
IBM Tivoli Endpoint Manager POST Query Buffer Overflow
metasploit
IBM Tivoli Endpoint Manager POST Query Buffer Overflow
IBM Tivoli Endpoint Manager POST Query Buffer Overflow
This module exploits a stack based buffer overflow in the way IBM Tivoli Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query arguments. This issue can be triggered by sending a specially crafted HTTP POST request to the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization is required. This exploit makes use of a second vulnerability, a hardcoded account (tivoli/boss) is used to bypass the authorization restriction.
No writeups or analysis indexed.
http://secunia.com/advisories/44628http://securityreason.com/securityalert/8268http://securitytracker.com/id?1025581http://www-01.ibm.com/support/docview.wss?uid=swg21499146http://www.ibm.com/support/docview.wss?uid=swg1IZ90238http://www.securityfocus.com/archive/1/518199/100/0/threadedhttp://zerodayinitiative.com/advisories/ZDI-11-169/https://exchange.xforce.ibmcloud.com/vulnerabilities/67631http://secunia.com/advisories/44628http://securityreason.com/securityalert/8268http://securitytracker.com/id?1025581http://www-01.ibm.com/support/docview.wss?uid=swg21499146http://www.ibm.com/support/docview.wss?uid=swg1IZ90238http://www.securityfocus.com/archive/1/518199/100/0/threadedhttp://zerodayinitiative.com/advisories/ZDI-11-169/https://exchange.xforce.ibmcloud.com/vulnerabilities/67631
2011-06-02
Published