IBM Tivoli Storage Manager Client Multiple Vulnerabilities (swg21268775)

2007-09-2500:00:00

www.tenable.com

104

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.965

Percentile

99.6%

JSON

The remote host is running an IBM Tivoli Storage Manager (TSM) client.

The version of the TSM client installed on the remote host reportedly contains a buffer overflow vulnerability in its Client Acceptor Daemon (CAD) service. Using an HTTP request with a long Host header, a remote attacker may be able to exploit this issue to crash the affected host or to execute arbitrary commands with administrative privileges.

In addition, the use of server-initiated prompted scheduling also may allow unauthorized access to the client’s data under certain conditions.

#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description)
{
  script_id(26187);
  script_version("1.18");

  script_cve_id("CVE-2007-4880", "CVE-2007-5022");
  script_bugtraq_id(25743);

  script_name(english:"IBM Tivoli Storage Manager Client Multiple Vulnerabilities (swg21268775)");
  script_summary(english:"Checks version of TSM Client from HTTP banner");

 script_set_attribute(attribute:"synopsis", value:
"The remote backup client is susceptible to multiple attacks." );
 script_set_attribute(attribute:"description", value:
"The remote host is running an IBM Tivoli Storage Manager (TSM) client. 

The version of the TSM client installed on the remote host reportedly
contains a buffer overflow vulnerability in its Client Acceptor Daemon
(CAD) service.  Using an HTTP request with a long Host header, a
remote attacker may be able to exploit this issue to crash the
affected host or to execute arbitrary commands with administrative
privileges. 

In addition, the use of server-initiated prompted scheduling also may
allow unauthorized access to the client's data under certain
conditions." );
 script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-054/" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/480492/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=swg1IC52905" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Tivoli Storage Manager version 5.4.1.2 / 5.3.5.3 / 5.2.5.2
/ 5.1.8.1 backup-archive client or the Tivoli Storage Manager Express
5.3.5.3 client." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(119, 200);
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/09/25");
 script_set_attribute(attribute:"patch_publication_date", value: "2007/09/21");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/09/21");
 script_cvs_date("Date: 2018/11/15 20:50:25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:ibm:tivoli_storage_manager_client");
script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");
  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 1581);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:1581, embedded:TRUE);
banner = get_http_banner(port:port);
if ('Server: TSM_HTTP/' >!< banner)
  exit(0, 'The server on port '+port+' doesn\'t look like TSM Client.');

# Grab the main page.
r = http_send_recv3(method:"GET", item:"/BACLIENT", port:port, exit_on_fail:TRUE);
res = strcat(r[0], r[1], '\r\n', r[2]);

# If it looks like TSM Client...
if ('adsm.cadmin.clientgui.DDsmApplet.class"' >< res)
{
  # Pull out the version number.
  ver = NULL;

  pat = ' version *= *"([0-9][0-9.]+) *"';
  matches = egrep(pattern:pat, string:res);
  if (matches)
  {
    foreach match (split(matches))
    {
      match = chomp(match);
      item = eregmatch(pattern:pat, string:match);
      if (!isnull(item))
      {
        ver = item[1];
        if (ver[strlen(ver)-1] == '.') ver = substr(ver, 0, strlen(ver)-2);
        break;
      }
    }
  }
  if (!isnull(ver))
  {
    iver = split(ver, sep:'.', keep:FALSE);
    for (i=0; i<4; i++)
      iver[i] = int(iver[i]);

    if (
      iver[0] == 5 &&
      (
        (iver[1] == 1 && (iver[2] < 8 || (iver[2] == 8 && iver[3] < 1))) ||
        (iver[1] == 2 && (iver[2] < 5 || (iver[2] == 5 && iver[3] < 2))) ||
        (iver[1] == 3 && (iver[2] < 5 || (iver[2] == 5 && iver[3] < 3))) ||
        (iver[1] == 4 && (iver[2] < 1 || (iver[2] == 1 && iver[3] < 2)))
      )
    )
    {
      report = string(
        "According to its banner, version ", ver, " of IBM Tivoli Storage Manager\n",
        "Client is installed on the remote host.\n"
      );
      security_hole(port:port, extra:report);
    }
  }
}