CVE-2004-2386

Format string vulnerability in the LogMsg function in sercd before 2.3.1 and sredird 2.2.1 and earlier allows remote attackers to execute arbitrary code via format string specifiers passed from the HandleCPCCommand function.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name	Vendor	Start Version	End Version
Sredird	Denis_sbragion	1.0 (including)	1.0 (including)
Sredird	Denis_sbragion	1.1.6 (including)	1.1.6 (including)
Sredird	Denis_sbragion	1.1.7 (including)	1.1.7 (including)
Sredird	Denis_sbragion	1.1.8 (including)	1.1.8 (including)
Sredird	Denis_sbragion	2.0 (including)	2.0 (including)
Sredird	Denis_sbragion	2.1 (including)	2.1 (including)
Sredird	Denis_sbragion	2.2 (including)	2.2 (including)
Sredird	Denis_sbragion	2.2.1 (including)	2.2.1 (including)
Sercd	Peter_astrand	2.3.0 (including)	2.3.0 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/67.html

References

http://cvs.lysator.liu.se/viewcvs/viewcvs.cgi/sercd/sercd.c?root=sercd
http://secunia.com/advisories/12351
http://securitytracker.com/id?1011038
http://www.osvdb.org/8375
http://www.osvdb.org/9104
http://www.securityfocus.com/bid/11002
http://www.securityfocus.com/bid/11031
https://exchange.xforce.ibmcloud.com/vulnerabilities/17056
http://cvs.lysator.liu.se/viewcvs/viewcvs.cgi/sercd/sercd.c?root=sercd
http://secunia.com/advisories/12351
http://securitytracker.com/id?1011038
http://www.osvdb.org/8375
http://www.osvdb.org/9104
http://www.securityfocus.com/bid/11002
http://www.securityfocus.com/bid/11031
https://exchange.xforce.ibmcloud.com/vulnerabilities/17056

NVD	https://nvd.nist.gov/vuln/detail/CVE-2004-2386
CWE	https://cwe.mitre.org/data/definitions/134.html

Use of Externally-Controlled Format String

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References