IBM Tivoli Management Framework Endpoint addr URL Remote Buffer Overflow

High Nessus Plugin ID 54924

Synopsis

A web server running on the remote host has a buffer overflow vulnerability.

Description

According to its self-reported version, the Tivoli Endpoint installation running on the remote host is earlier than 4.1.1-LCF-0076 or 4.3.1-LCF-0012LA, and therefore has a buffer overflow vulnerability. Input to the 'opts' parameter of '/addr' is not properly validated. Authentication is required for exploitation, though this can be achieved trivially by using a built-in account.

A remote, authenticated attacker could exploit this by sending a malicious POST request to the server, resulting in arbitrary code execution.

Solution

Upgrade to Tivoli Endpoint 4.1.1-LCF-0076 / 4.3.1-LCF-0012LA or later. Alternatively, use the workaround described in the IBM advisory.

See Also

https://www.tenable.com/security/research/tra-2011-04

https://www.zerodayinitiative.com/advisories/ZDI-11-169/

https://www-304.ibm.com/support/docview.wss?uid=swg21499146

Plugin Details

Severity: High

ID: 54924

File Name: tivoli_endpoint_addr_opts_bof.nasl

Version: 1.17

Type: remote

Family: Web Servers

Published: 2011/05/31

Updated: 2018/11/15

Dependencies: 48363

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:tivoli_management_framework

Required KB Items: www/tivoli_endpoint

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/05/30

Vulnerability Publication Date: 2011/05/30

Exploitable With

CANVAS (White_Phosphorus)

Core Impact

Metasploit (IBM Tivoli Endpoint Manager POST Query Buffer Overflow)

Reference Information

CVE: CVE-2011-1220

BID: 48049

TRA: TRA-2011-04

IAVA: 2011-A-0072

EDB-ID: 17365, 17392