IBM Tivoli Storage Manager FastBack Mount Service Code Execution

Added: 10/18/2010
CVE: CVE-2010-3058
BID: 42549
OSVDB: 67292

Background

IBM Tivoli Storage Manager (TSM) provides centralized management for automated backup and restoration operations. TSM includes FastBack, which provides a client/server backup solution for the MS Windows environment. FastBack Mount can be used to mount any snapshot and use it to complete data recovery. The mount service, FastBackMount.exe, listens on ports 30005/UDP and 30051/TCP, by default.

Problem

The FastBack Mount interface allows the specification of a valid repository volume and identifiers for the snapshot to be mounted on the repository volume. A memory corruption vulnerability exists in TSM FastBack Mount service due to an input validation error while parsing crafted mount requests sent to the service on its UDP port.

Resolution

Apply a security fix.

References

http://secunia.com/advisories/41044
http://www.zerodayinitiative.com/advisories/ZDI-10-179/

Limitations

Exploit works on Tivoli Storage Manager FastBack 6.1.0.

The exploit script will connect to port 30051/TCP to do heap-spraying on the target before connecting to port 30005/UDP.

Platforms

Windows

Back to exploit index