CVE-2008-5982

Format string vulnerability in BMC PATROL Agent before 3.7.30 allows remote attackers to execute arbitrary code via format string specifiers in an invalid version number to TCP port 3181, which are not properly handled when writing a log message.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name	Vendor	Start Version	End Version
Patrol_agent	Bmc	*	3.7 (including)
Patrol_agent	Bmc	3.2 (including)	3.2 (including)
Patrol_agent	Bmc	3.2.3 (including)	3.2.3 (including)
Patrol_agent	Bmc	3.2.5 (including)	3.2.5 (including)
Patrol_agent	Bmc	3.2.7 (including)	3.2.7 (including)
Patrol_agent	Bmc	3.3.00 (including)	3.3.00 (including)
Patrol_agent	Bmc	3.4.00 (including)	3.4.00 (including)
Patrol_agent	Bmc	3.4.11 (including)	3.4.11 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/67.html

References

http://secunia.com/advisories/33049
http://www.securityfocus.com/archive/1/499013/100/0/threaded
http://www.securityfocus.com/bid/32692
http://www.securitytracker.com/id?1021361
http://www.vupen.com/english/advisories/2008/3379
http://www.zerodayinitiative.com/advisories/ZDI-08-082/
https://exchange.xforce.ibmcloud.com/vulnerabilities/47175
http://secunia.com/advisories/33049
http://www.securityfocus.com/archive/1/499013/100/0/threaded
http://www.securityfocus.com/bid/32692
http://www.securitytracker.com/id?1021361
http://www.vupen.com/english/advisories/2008/3379
http://www.zerodayinitiative.com/advisories/ZDI-08-082/
https://exchange.xforce.ibmcloud.com/vulnerabilities/47175

NVD	https://nvd.nist.gov/vuln/detail/CVE-2008-5982
CWE	https://cwe.mitre.org/data/definitions/134.html

Use of Externally-Controlled Format String

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References