TippingPoint Zero Day Initiative

BMC PatrolAgent Version Logging Format String Vulnerability

ZDI-08-082: December 8th, 2008


Affected Vendors

Affected Products


TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 6129. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of BMC PatrolAgent. Authentication is not required to exploit this vulnerability.

The specific flaw exists due to a format string handling error during log message writing. Supplying an invalid version number containing format string tokens to a vulnerable target on TCP port 3181 triggers an exploitable format string vulnerability which can result in arbitrary code execution.

Vendor Response

BMC Software states:

BMC has issued an update to correct this vulnerability. Customers should upgrade PATROL Agent to version 3.7.30

Disclosure Timeline

    2008-05-08 - Vulnerability reported to vendor
    2008-12-08 - Coordinated public release of advisory


This vulnerability was discovered by: