CVE-2011-1220

Related Files

IBM Tivoli Endpoint Manager POST Query Buffer Overflow

Posted Jun 12, 2011

Authored by bannedit, Jeremy Brown | Site metasploit.com

This Metasploit module exploits a stack based buffer overflow in the way IBM Tivoli Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query arguments. This issue can be triggered by sending a specially crafted HTTP POST request to the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization is required. This exploit makes use of a second vulnerability, a hardcoded account (tivoli/boss) is used to bypass the authorization restriction.

tags | exploit, web, overflow, tcp

advisories | CVE-2011-1220, OSVDB-72713, OSVDB-72751

SHA-256 | e26c45a50f92baafd2fb68a99ebdaa1c0b4d55454982b873642bcb3d0f2a41d7

Download | Favorite | View

Zero Day Initiative Advisory 11-169

Posted Jun 1, 2011

Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-169 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Endpoint. Authentication is required to exploit this vulnerability, however it is trivially achieved. The specific flaw exists within the lcfd.exe process which listens by default on TCP port 9495. To reach this page remotely authentication is required. However, by abusing a built-in account an attacker can access the restricted pages. While parsing requests to one of these, the process blindly copies the contents of a POST variable to a 256 byte stack buffer. This can be leveraged by a remote attacker to execute arbitrary code under the context of the SYSTEM user.

tags | advisory, remote, arbitrary, tcp

advisories | CVE-2011-1220

SHA-256 | 285e5b56f3b5a1ce6fb8f0683bf97b8bc3d0b7e2e10fa74b7e0621552c83cec0

Download | Favorite | View