Some vulnerabilities have been reported in IBM Tivoli Storage Manager FastBack, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

1) An input validation error in FastBackMount.exe can be exploited to write value "0x01" to an arbitrary memory location via a specially crafted packet sent to UDP port 30005.

2) A boundary error in FastBackServer.exe when creating a formatted event log message for the "AGI_SendToLog()" method can be exploited to cause a stack-based buffer overflow.

3) An input validation error within the "_AGI_S_ActivateLTScriptReply()" function (FastBackServer.exe) using memcpy() with user supplied data can be exploited to cause a stack-based buffer overflow.

4) An input validation error within the "FXCLI_OraBR_Exec_Command()" function (FastBackServer.exe) using memcpy() with user supplied data can be exploited to cause a buffer overflow.

5) A boundary error within the "FXCLI_checkIndexDBLocation()" function (FastBackServer.exe) when copying the "user_path" variable using strcpy() can be exploited to cause a stack-based buffer overflow.

6) A boundary error within the "USER_S_AddADGroup()" function (FastBackServer.exe) when copying the "group", "workgroup", and "domain name" variables using strcat() can be exploited to cause a stack-based buffer overflow.

7) A format string error within the "_Eventlog()" function (FastBackServer.exe) when handling packet data after the pipe character (0x7C) can be exploited to corrupt memory via a specially crafted string.

8) A length validation error within the "_CalcHashValueWithLength()" function (FastBackServer.exe) when calculating a CRC value can be exploited to cause an access violation error and crash the process.

9) A variable initialization error within the "_DAS_ReadBlockReply()" function (FastBackServer.exe) when reading a block of packet data can be exploited to cause a NULL pointer dereference error and crash the process.

10) A NULL pointer dereference error in FastBackMount.exe when logging exception events can be exploited to crash the process.

11) An error exists within FastBackServer.exe when copying data while processing packets with header type "0xFAFBFCFD", which can be exploited to cause a heap-based buffer overflow.

The vulnerabilities are reported in versions prior to 5.5.7 and 6.1.1.

Solution
Update to version 5.5.7 or 6.1.1.

Provided and/or discovered by
1-9) Sebastian Apelt, reported via ZDI.
4) Stephen Fewer of Harmony Security, reported via ZDI.
10 - 11) AbdulAziz Hariri, reported via ZDI.

Changelog
Further details available in Customer Area

Original Advisory
IBM (IC69883):
http://www-01.ibm.com/support/docview.wss?uid=swg21443820

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-179/
http://www.zerodayinitiative.com/advisories/ZDI-10-180/
http://www.zerodayinitiative.com/advisories/ZDI-10-181/
http://www.zerodayinitiative.com/advisories/ZDI-10-182/
http://www.zerodayinitiative.com/advisories/ZDI-10-183/
http://www.zerodayinitiative.com/advisories/ZDI-10-184/
http://www.zerodayinitiative.com/advisories/ZDI-10-185/
http://www.zerodayinitiative.com/advisories/ZDI-10-186/
http://www.zerodayinitiative.com/advisories/ZDI-10-187/
http://www.zerodayinitiative.com/advisories/ZDI-10-188/
http://www.zerodayinitiative.com/advisories/ZDI-10-200/

Deep Links
Links available in Customer Area