Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
  home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability announce CVE-2012-2288

EMC NetWorker: format string in nsrd

Synthesis of the vulnerability

A network attacker can send a malicious message to EMC NetWorker, in order to generate a format string attack, leading to code execution.
Impacted products: NetWorker.
Severity: 3/4.
Creation date: 31/08/2012.
Identifiers: BID-55330, CERTA-2012-AVI-481, CVE-2012-2288, EIP-2012-0001, ESA-2012-038, VIGILANCE-VUL-11912.

Description of the vulnerability

The RPC nsrd service of EMC NetWorker processes save and restore operations.

However, the RPC procedure 0x06 of service 0x5F3DD version 0x02 directly transmits the received parameter to the lg_sprintf() function. An attacker can thus send a format parameter to this procedure, in order to corrupt the memory with "%n".

A network attacker can therefore send a malicious message to EMC NetWorker, in order to generate a format string attack, leading to code execution.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

Delicious Digg Facebook Google bookmarks LinkedIn Mail Reddit StumbleUpon Technorati Twitter 

Computer vulnerabilities tracking service

Vigil@nce provides an applications vulnerabilities note. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.



















Copyright 1999-2014 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française