CVE-2009-1262

Format string vulnerability in Fortinet FortiClient 3.0.614, and possibly earlier, allows local users to execute arbitrary code via format string specifiers in the VPN connection name.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name	Vendor	Start Version	End Version
Forticlient	Fortinet	3.0.614 (including)	3.0.614 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/67.html

References

http://lists.grok.org.uk/pipermail/full-disclosure/2009-April/068583.html
http://osvdb.org/53266
http://secunia.com/advisories/34524
http://www.layereddefense.com/FortiClient02Apr.html
http://www.securityfocus.com/archive/1/502354/100/0/threaded
http://www.securityfocus.com/archive/1/502602/100/0/threaded
http://www.securityfocus.com/bid/34343
http://www.securitytracker.com/id?1021966
http://www.vupen.com/english/advisories/2009/0941
https://exchange.xforce.ibmcloud.com/vulnerabilities/49633
http://lists.grok.org.uk/pipermail/full-disclosure/2009-April/068583.html
http://osvdb.org/53266
http://secunia.com/advisories/34524
http://www.layereddefense.com/FortiClient02Apr.html
http://www.securityfocus.com/archive/1/502354/100/0/threaded
http://www.securityfocus.com/archive/1/502602/100/0/threaded
http://www.securityfocus.com/bid/34343
http://www.securitytracker.com/id?1021966
http://www.vupen.com/english/advisories/2009/0941
https://exchange.xforce.ibmcloud.com/vulnerabilities/49633

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-1262
CWE	https://cwe.mitre.org/data/definitions/134.html

Use of Externally-Controlled Format String

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References