• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • IBM Tivoli Monitoring CVE-2017-1635 Remote Code Execution Vulnerability

    06-02-2018

    CVEID: CVE-2017-1635
    CVSS Base Score: 8
    Affected Products and Versions: KDH component of IBM Tivoli Monitoring Basic Services (KGL,KAX) for Version 6.2.2.0 through 6.2.2.9

     

    Executive Summary
    A vulnerability exists in the internal web server provided by IBM Tivoli Monitoring basic services. It could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error. A remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the application to crash.
    The web server component “KDH”, after receiving certain requests, executes a memory region in the heap previously freed by the component itself.
    An attacker is able to fill the heap before the memory is reused, in order to execute arbitrary code.

     

    PoC source: https://github.com/emcalv/tivoli-poc

     

    0x6191BCF8 – malloc in BSS1_NewFormat
    0x61903fea – free in BSS1_EndFormat
    0x6191BDEF – call to ecx+4

    At first, malloc() is called to allocate space (0x400) where application will put response page to the faulty request; then free() is called on the same address used in the “call [ecx+4]” later on.

    The disassembly code involved is:
    kbb.dll:61903FD7                mov     eax, [edx]
    kbb.dll:61903FD9               push    eax
    kbb.dll:61903FDA               mov     ecx, [ebp-8]
    kbb.dll:61903FDD               call    dword ptr [ecx+4] <- here is called the address of the previously freed heap + 4

    Supporting techincal details:
    As shown in the following WinDbg screenshot, execution is suspended at 0x004c0931, where the payload is “\xcc” – breakpoint.

     

    Submission to IBM summer 2017, verified and confirmed in November 2017 by IBM.

    Reference

    http://www-01.ibm.com/support/docview.wss?uid=swg22010554

    https://www.securityfocus.com/bid/101905