IBM Tivoli Management Framework Endpoint addr URL Remote Buffer Overflow

high Nessus Plugin ID 54924

Synopsis

A web server running on the remote host has a buffer overflow vulnerability.

Description

According to its self-reported version, the Tivoli Endpoint installation running on the remote host is earlier than 4.1.1-LCF-0076 or 4.3.1-LCF-0012LA, and therefore has a buffer overflow vulnerability. Input to the 'opts' parameter of '/addr' is not properly validated. Authentication is required for exploitation, though this can be achieved trivially by using a built-in account.

A remote, authenticated attacker could exploit this by sending a malicious POST request to the server, resulting in arbitrary code execution.

Solution

Upgrade to Tivoli Endpoint 4.1.1-LCF-0076 / 4.3.1-LCF-0012LA or later. Alternatively, use the workaround described in the IBM advisory.

See Also

https://www.tenable.com/security/research/tra-2011-04

https://www.zerodayinitiative.com/advisories/ZDI-11-169/

https://www-304.ibm.com/support/docview.wss?uid=swg21499146

Plugin Details

Severity: High

ID: 54924

File Name: tivoli_endpoint_addr_opts_bof.nasl

Version: 1.18

Type: remote

Family: Web Servers

Published: 5/31/2011

Updated: 8/5/2020

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.4

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: E:F/RL:OF/RC:C

CVSS Score Source: CVE-2011-1220

Vulnerability Information

CPE: cpe:/a:ibm:tivoli_management_framework

Required KB Items: www/tivoli_endpoint

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/30/2011

Vulnerability Publication Date: 5/30/2011

Exploitable With

CANVAS (White_Phosphorus)

Core Impact

Metasploit (IBM Tivoli Endpoint Manager POST Query Buffer Overflow)

Reference Information

CVE: CVE-2011-1220

BID: 48049

TRA: TRA-2011-04

IAVA: 2011-A-0072-S

EDB-ID: 17365, 17392