IBM Tivoli ActiveX Buffer Overflow

April 20, 2012

IBM Tivoli Provisioning Manager Express automates management of software distribution. It helps identify non-compliant users and deploy software updates to reduce user downtime and the need for support. IBM Tivoli Provisioning Manager Express runs a web service which allows clients to upload files to the server using Internet Explorer via an ActiveX control. The functionality is provided by the Isig.isigCtl.1 ActiveX control, contained in the library isig.dll. The library will be installed and registered on the client system when a user requests a file upload. The ActiveX control is associated by CLSID 84B74E82-3475-420E-9949-773B4FB91771, and ProgID Isig.isigCtl. The control is scriptable and can be instantiated via a web page. Example code snippets of instantiation follow:



 testobject = new ActiveXObject("Isig.isigCtl") 

The ActiveX control exposes multiple methods, one of which is RunAndUploadFile with the following prototype:

 RunAndUploadFile (string url, string otherfields, string flags) 

The otherfields parameter is expected to contain multiple name:value pairs separated by semicolons.

A stack-based buffer overflow vulnerability exists in some versions of IBM Tivoli Provisioning Manager Express for Software Distribution. Specifically, the vulnerability is due to improper handling of the otherfields parameter passed to the RunAndUploadFile method of the Isig.isigCtl ActiveX control. The name:value pairs in the otherfields parameter are processed one by one in order to construct Content-Disposition HTTP headers. Each header value is built from one name:value pair. The vulnerable code calls a sprintf function using a format string similar to the following:

 --%sContent-Disposition: form-data; name="%s" 

Where the second modifier is controlled by the name field of each name:value pair of the otherfields parameter. The first modifier will be replaced with a fixed length string. The value field of each name:value pair is then concatenated to the same buffer using a strcat function. Since the destination buffer for holding the output is a fixed size stack buffer, supplying a longer string to the otherfields parameter can overwrite critical data on the stack.

A remote attacker could exploit this vulnerability via a web page that passes a large crafted argument to the vulnerable ActiveX control method. In order to exploit the vulnerability, the target user needs to be enticed to visit the malicious web page. Successful exploitation will result in a buffer overflow that may divert the process flow of the vulnerable service.

SonicWALL has released an IPS signature addressing this issue. The following signature was released:

  • 7685 - IBM Tivoli Isig.isigCtl.1 ActiveX RunAndUploadFile Method Invocation

In addition to the signature released specifically for this particular vulnerability, SonicWALL has numerous existing signatures that cover known generic attack traffic that is likely to be employed in an attack targeting this flaw. These signatures are proactively preventing attacks targeting known and previously undisclosed vulnerabilities.

The vendor has released an advisory regarding this issue.
The flaw was first disclosed by ZDI in this advisory.
This vulnerability has been assigned CVE-2012-0198 by mitre.