cbcvebase.
CVE-2012-2288
published 2012-09-04

CVE-2012-2288: Format string vulnerability in the nsrd RPC service in EMC NetWorker 7.6.3 and 7.6.4 before 7.6.4.1, and 8.0 before 8.0.0.1, allows remote attackers to execute…

PriorityP271critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.12%
98.2th percentile
Format string vulnerability in the nsrd RPC service in EMC NetWorker 7.6.3 and 7.6.4 before 7.6.4.1, and 8.0 before 8.0.0.1, allows remote attackers to execute arbitrary code via format string specifiers in a message.

Affected

3 ranges
VendorProductVersion rangeFixed in
emcnetworker
emcnetworker
emcnetworker

Detection & IOCsextracted from sources · hover to see the quote

otherRPC program number 0x5F3DD, version 0x02, procedure 0x06
filenameliblocal.dll
command%n (repeated 156 times) followed by packed return address
bytes
\x81\xc4\x54\xf2\xff\xff
  • Detect exploit attempts by monitoring for TCP RPC calls to SunRPC program number 0x5F3DD (390109 decimal), version 2, procedure 6 targeting the nsrd service.
  • Alert on RPC payloads containing long sequences of '%n' format string specifiers (156+ repetitions) directed at the nsrd service, indicative of format string exploitation.
  • Look for the stack-adjustment prepend encoder bytes (\x81\xc4\x54\xf2\xff\xff) in RPC payloads to the nsrd service as a shellcode delivery indicator.
  • Monitor for ROP chain addresses from MSVCR71.dll (e.g., 0x7c354dac, 0x7c345c30) appearing in network traffic to the nsrd RPC service, indicating a DEP-bypass exploit attempt.
  • The vulnerability is in the lg_sprintf function within liblocal.dll; monitor for unexpected crashes or code execution originating from liblocal.dll in EMC NetWorker processes.
  • ·The Metasploit module targets only Windows platforms (XP SP3 and 2003 SP2); ROP gadget addresses are hardcoded to MSVCR71.dll and will not work against patched or different OS/library versions.
  • ·The DEP bypass ROP chain is specific to MSVCR71.dll addresses; systems with ASLR enabled or different DLL load addresses will not be exploitable via this module without modification.
  • ·Payload bad characters (\x00, \x0d, \x0a, \x25, \x2a) must be avoided; detection signatures should account for encoded payloads that bypass these constraints.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.