Added: 10/18/2010
CVE: CVE-2010-3058
BID: 42549
OSVDB: 67292
IBM Tivoli Storage Manager (TSM) provides centralized management for automated backup and restoration operations. TSM includes FastBack, which provides a client/server backup solution for the MS Windows environment. FastBack Mount can be used to mount any snapshot and use it to complete data recovery. The mount service, FastBackMount.exe
, listens on ports 30005/UDP and 30051/TCP, by default.
The FastBack Mount interface allows the specification of a valid repository volume and identifiers for the snapshot to be mounted on the repository volume. A memory corruption vulnerability exists in TSM FastBack Mount service due to an input validation error while parsing crafted mount requests sent to the service on its UDP port.
Apply a security fix.
<http://secunia.com/advisories/41044>
<http://www.zerodayinitiative.com/advisories/ZDI-10-179/>
Exploit works on Tivoli Storage Manager FastBack 6.1.0.
The exploit script will connect to port 30051/TCP to do heap-spraying on the target before connecting to port 30005/UDP.
Windows