TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Most phishing sites are hosted on compromised Apache + PHP + MySQL servers located in the US. Our Digital Vaccine service includes filters specifically designed to prevent potential victims from reaching many of these malicious sites.

IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities

TPTI-07-05: May 2nd, 2007


Affected Vendors

Affected Products

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on systems with vulnerable installations of IBM Tivoli Provisioning Manager for OS Deployment. Authentication is not required to exploit this vulnerability.

The specific flaws exist in the handling of HTTP requests to the rembo.exe service listening on TCP port 8080. Several components of an HTTP request can be modified to trigger buffer overflows. For example, by supplying an overly long filename an attacker is able to overflow a 150 byte stack buffer and subsequently execute arbitrary code. The overflow occurs during a string copy loop, shown here:

00431136 lea edi, [ebp+var_3C4] ; 150 byte stack buffer
00431148 stringcopy:
00431148 mov al, [edx] ; edx -> our data
0043114A add edx, 1
0043114D mov [edi], al ; edi -> stack buffer
0043114F add edi, 1
00431152 test al, al
00431154 jnz short stringcopy

The Host and Authorization fields are also vulnerable to similar exploitable overflows.

Vendor Response

IBM has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2006-12-18 - Vulnerability reported to vendor
    2007-05-02 - Coordinated public release of advisory


This vulnerability was discovered by: