we track for your security since 1999

vulnerabilities

The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.

recent vulnerabilities

tracked products

RSS feed

vulnerability

vulnerability announce CVE-2012-2288

EMC NetWorker: format string in nsrd

Synthesis of the vulnerability

A network attacker can send a malicious message to EMC NetWorker, in order to generate a format string attack, leading to code execution.
Impacted products: NetWorker.
Severity: 3/4.
Creation date: 31/08/2012.
Identifiers: BID-55330, CERTA-2012-AVI-481, CVE-2012-2288, EIP-2012-0001, ESA-2012-038, VIGILANCE-VUL-11912.

Description of the vulnerability

The RPC nsrd service of EMC NetWorker processes save and restore operations.

However, the RPC procedure 0x06 of service 0x5F3DD version 0x02 directly transmits the received parameter to the lg_sprintf() function. An attacker can thus send a format parameter to this procedure, in order to corrupt the memory with "%n".

A network attacker can therefore send a malicious message to EMC NetWorker, in order to generate a format string attack, leading to code execution.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

Computer vulnerabilities tracking service

Vigil@nce provides an applications vulnerabilities note. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.