CVE-2007-5247

Multiple format string vulnerabilities in the Monolith Lithtech engine, as used by First Encounter Assault Recon (F.E.A.R.) 1.08 and earlier, when Punkbuster (PB) is enabled, allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in (1) a PB_Y packet to the YPG server on UDP port 27888 or (2) a PB_U packet to UCON on UDP port 27888, different vectors than CVE-2004-1500. NOTE: this issue might be in Punkbuster itself, but there are insufficient details to be certain.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name	Vendor	Start Version	End Version
First_encounter_assault_recon	Monolith_productions	*	1.08 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/67.html

References

http://aluigi.altervista.org/adv/fearfspb-adv.txt
http://aluigi.org/poc/fearfspb.zip
http://osvdb.org/45530
http://osvdb.org/45531
http://securityreason.com/securityalert/3197
http://www.securityfocus.com/archive/1/481231/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/36900
http://aluigi.altervista.org/adv/fearfspb-adv.txt
http://aluigi.org/poc/fearfspb.zip
http://osvdb.org/45530
http://osvdb.org/45531
http://securityreason.com/securityalert/3197
http://www.securityfocus.com/archive/1/481231/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/36900

NVD	https://nvd.nist.gov/vuln/detail/CVE-2007-5247
CWE	https://cwe.mitre.org/data/definitions/134.html

Use of Externally-Controlled Format String

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References