CVE-2010-4604

IBM Tivoli Storage Manager 5.3.0-5.3.6.7 - Stack-Based Buffer Overflow in GeneratePassword Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-4604. PoCs published by Kryptos Logic.

AI-analyzed exploit summary This exploit leverages a stack-based buffer overflow in IBM Tivoli Storage Manager's dsmtca component via the LANG environment variable to achieve local privilege escalation. It overwrites the return address of the GeneratePassword() function with shellcode to spawn a root shell.

Description

Stack-based buffer overflow in the GeneratePassword function in dsmtca (aka the Trusted Communications Agent or TCA) in the backup-archive client in IBM Tivoli Storage Manager (TSM) 5.3.x before 5.3.6.10, 5.4.x before 5.4.3.4, 5.5.x before 5.5.2.10, and 6.1.x before 6.1.3.1 on Unix and Linux allows local users to gain privileges by specifying a long LANG environment variable, and then sending a request over a pipe.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Kryptos Logic · textlocallinux

https://www.exploit-db.com/exploits/15745

View Code ZIP pw:eip

This exploit leverages a stack-based buffer overflow in IBM Tivoli Storage Manager's dsmtca component via the LANG environment variable to achieve local privilege escalation. It overwrites the return address of the GeneratePassword() function with shellcode to spawn a root shell.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: IBM Tivoli Storage Manager (TSM) versions 5.3.0.0 through 6.1.3.0

No auth needed

Prerequisites: Local access to the target system · Presence of vulnerable IBM TSM dsmtca binary

MITRE ATT&CK