Tivoli TMF Endpoint Buffer Overflow

["Mark A. Rowe (PenTest)" <mark.rowe () pentest-limited com>]

IBM Tivoli Management Framework Buffer Overflow (Endpoint)

 
Announcement date: 15th July 2002 
Reference: ptl-2002-04 


Advisory Details
----------------

Product: IBM Tivoli Management Framework
Vulnerable versions: 3.6.x through 3.7.1
Vulnerability Type : Buffer Overflow
Platforms: All 
Vendor-URL: http://www.tivoli.com
Vendor-Status: Apply latest Fixpack (Currently Fixpack 2 or Patches
3.7.1-TMF-0066), or apply workaround.
Remote-Exploit: Yes


Overview
--------

A remote buffer overflow condition exists in the webserver (default port
9495) running on TMR Endpoints. This can result in a denial of service
and execution of arbitrary code. 


Description
-----------

An overly long GET request results in a buffer overflow, with registers
being overwritten with user supplied data. 

This results in the TMR Endpoint Service crashing (LCFD process) and
allows arbitrary code to be executed as a privileged user (SYSTEM on NT
or root on Unix). The loss of the lcfd process terminates all endpoint
activities.

Tested on: W2K and NT4 SP6a.


Fix
---

Apply latest Fixpack (Currently Fixpack 2 or Patches 3.7.1-TMF-0066), or
apply workaround. 


Vendor status
-------------

Tivoli were notified 12 April 2002.

Vendor has released a security alert with details of patches and
workarounds. See http://www.tivoli.com/secure/support/documents/security
/mgt-fwk-http-vul.html


Credit
------

Discovered by
Mark Rowe ( mark.rowe () pentest-limited com)
Jeff Fay  ( jeff () sdii com )