Vulnerabilities > CVE-2010-4345

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
exim
opensuse
debian
canonical
nessus
exploit available
metasploit

Summary

Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.

Exploit-Db

descriptionExim4. CVE-2010-4344,CVE-2010-4345. Remote exploit for linux platform
idEDB-ID:16925
last seen2016-02-02
modified2010-12-16
published2010-12-16
reportermetasploit
sourcehttps://www.exploit-db.com/download/16925/
titleExim4 <= 4.69 - string_format Function Heap Buffer Overflow

Metasploit

descriptionThis module exploits a heap buffer overflow within versions of Exim prior to version 4.69. By sending a specially crafted message, an attacker can corrupt the heap and execute arbitrary code with the privileges of the Exim daemon. The root cause is that no check is made to ensure that the buffer is not full prior to handling '%s' format specifiers within the 'string_vformat' function. In order to trigger this issue, we get our message rejected by sending a message that is too large. This will call into log_write to log rejection headers (which is a default configuration setting). After filling the buffer, a long header string is sent. In a successful attempt, it overwrites the ACL for the 'MAIL FROM' command. By sending a second message, the string we sent will be evaluated with 'expand_string' and arbitrary shell commands can be executed. It is likely that this issue could also be exploited using other techniques such as targeting in-band heap management structures, or perhaps even function pointers stored in the heap. However, these techniques would likely be far more platform specific, more complicated, and less reliable. This bug was original found and reported in December 2008, but was not properly handled as a security issue. Therefore, there was a 2 year lag time between when the issue was fixed and when it was discovered being exploited in the wild. At that point, the issue was assigned a CVE and began being addressed by downstream vendors. An additional vulnerability, CVE-2010-4345, was also used in the attack that led to the discovery of danger of this bug. This bug allows a local user to gain root privileges from the Exim user account. If the Perl interpreter is found on the remote system, this module will automatically exploit the secondary bug as well to get root.
idMSF:EXPLOIT/UNIX/SMTP/EXIM4_STRING_FORMAT
last seen2020-01-17
modified2018-09-15
published2010-12-11
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/smtp/exim4_string_format.rb
titleExim4 string_format Function Heap Buffer Overflow

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2011-0153.NASL
    descriptionUpdated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on UNIX systems connected to the Internet. A privilege escalation flaw was discovered in Exim. If an attacker were able to gain access to the
    last seen2020-06-01
    modified2020-06-02
    plugin id51785
    published2011-01-28
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51785
    titleCentOS 4 / 5 : exim (CESA-2011:0153)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2011:0153 and 
    # CentOS Errata and Security Advisory 2011:0153 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(51785);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:05");
    
      script_cve_id("CVE-2010-4345");
      script_bugtraq_id(45341);
      script_xref(name:"RHSA", value:"2011:0153");
    
      script_name(english:"CentOS 4 / 5 : exim (CESA-2011:0153)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated exim packages that fix one security issue are now available
    for Red Hat Enterprise Linux 4 and 5.
    
    The Red Hat Security Response Team has rated this update as having
    moderate security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    Exim is a mail transport agent (MTA) developed at the University of
    Cambridge for use on UNIX systems connected to the Internet.
    
    A privilege escalation flaw was discovered in Exim. If an attacker
    were able to gain access to the 'exim' user, they could cause Exim to
    execute arbitrary commands as the root user. (CVE-2010-4345)
    
    This update adds a new configuration file,
    '/etc/exim/trusted-configs'. To prevent Exim from running arbitrary
    commands as root, Exim will now drop privileges when run with a
    configuration file not listed as trusted. This could break backwards
    compatibility with some Exim configurations, as the trusted-configs
    file only trusts '/etc/exim/exim.conf' and '/etc/exim/exim4.conf' by
    default. If you are using a configuration file not listed in the new
    trusted-configs file, you will need to add it manually.
    
    Additionally, Exim will no longer allow a user to execute exim as root
    with the -D command line option to override macro definitions. All
    macro definitions that require root permissions must now reside in a
    trusted configuration file.
    
    Users of Exim are advised to upgrade to these updated packages, which
    contain a backported patch to correct this issue. After installing
    this update, the exim daemon will be restarted automatically."
      );
      # https://lists.centos.org/pipermail/centos-announce/2011-April/017338.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1d0d8bfd"
      );
      # https://lists.centos.org/pipermail/centos-announce/2011-April/017339.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?166cc0bc"
      );
      # https://lists.centos.org/pipermail/centos-announce/2011-January/017243.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?87ec4edb"
      );
      # https://lists.centos.org/pipermail/centos-announce/2011-January/017244.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?be520bee"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected exim packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:exim-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:exim-mon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:exim-sa");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/04/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x / 5.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"exim-4.43-1.RHEL4.5.el4_8.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"exim-4.43-1.RHEL4.5.el4_8.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"exim-doc-4.43-1.RHEL4.5.el4_8.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"exim-doc-4.43-1.RHEL4.5.el4_8.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"exim-mon-4.43-1.RHEL4.5.el4_8.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"exim-mon-4.43-1.RHEL4.5.el4_8.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"exim-sa-4.43-1.RHEL4.5.el4_8.3")) flag++;
    if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"exim-sa-4.43-1.RHEL4.5.el4_8.3")) flag++;
    
    if (rpm_check(release:"CentOS-5", reference:"exim-4.63-5.el5_6.2")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"exim-mon-4.63-5.el5_6.2")) flag++;
    if (rpm_check(release:"CentOS-5", reference:"exim-sa-4.63-5.el5_6.2")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-doc / exim-mon / exim-sa");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2154.NASL
    descriptionA design flaw (CVE-2010-4345 ) in exim4 allowed the local Debian-exim user to obtain root privileges by specifying an alternate configuration file using the -C option or by using the macro override facility (-D option). Unfortunately, fixing this vulnerability is not possible without some changes in exim4
    last seen2020-03-17
    modified2011-01-31
    plugin id51819
    published2011-01-31
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51819
    titleDebian DSA-2154-1 : exim4 - privilege escalation
  • NASL familySMTP problems
    NASL idEXIM_STRING_VFORMAT.NASL
    descriptionA heap overflow vulnerability exists in the version of exim installed on the remote host. By sending a specially crafted message to the server, a remote attacker can leverage this vulnerability to execute arbitrary code on the server with the privilege of the exim server. A separate vulnerability that Nessus didn
    last seen2020-06-01
    modified2020-06-02
    plugin id51179
    published2010-12-15
    reporterThis script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51179
    titleExim string_format Function Remote Overflow
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_EXIM-101211.NASL
    descriptionremote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345).
    last seen2020-06-01
    modified2020-06-02
    plugin id53715
    published2011-05-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53715
    titleopenSUSE Security Update : exim (openSUSE-SU-2010:1052-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_EXIM-101211.NASL
    descriptionremote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345).
    last seen2020-06-01
    modified2020-06-02
    plugin id53657
    published2011-05-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53657
    titleopenSUSE Security Update : exim (openSUSE-SU-2010:1052-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1060-1.NASL
    descriptionIt was discovered that Exim contained a design flaw in the way it processed alternate configuration files. An attacker that obtained privileges of the
    last seen2020-06-01
    modified2020-06-02
    plugin id51954
    published2011-02-11
    reporterUbuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51954
    titleUbuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : exim4 vulnerabilities (USN-1060-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2011-0153.NASL
    descriptionUpdated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on UNIX systems connected to the Internet. A privilege escalation flaw was discovered in Exim. If an attacker were able to gain access to the
    last seen2020-06-01
    modified2020-06-02
    plugin id51562
    published2011-01-18
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51562
    titleRHEL 4 / 5 : exim (RHSA-2011:0153)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2131.NASL
    descriptionSeveral vulnerabilities have been found in exim4 that allow a remote attacker to execute arbitrary code as root user. Exploits for these issues have been seen in the wild. This update fixes a memory corruption issue that allows a remote attacker to execute arbitrary code as the Debian-exim user (CVE-2010-4344 ). A fix for an additional issue that allows the Debian-exim user to obtain root privileges (CVE-2010-4345 ) is currently being checked for compatibility issues. It is not yet included in this upgrade but will released soon in an update to this advisory.
    last seen2020-06-01
    modified2020-06-02
    plugin id51128
    published2010-12-12
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51128
    titleDebian DSA-2131-1 : exim4 - arbitrary code execution
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_E4FCF020044711E0BECC0022156E8794.NASL
    descriptionDavid Woodhouse reports : Secondly a privilege escalation where the trusted
    last seen2020-06-01
    modified2020-06-02
    plugin id51446
    published2011-01-10
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51446
    titleFreeBSD : exim -- local privilege escalation (e4fcf020-0447-11e0-becc-0022156e8794)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_EXIM-101211.NASL
    descriptionremote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345).
    last seen2020-06-01
    modified2020-06-02
    plugin id75481
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75481
    titleopenSUSE Security Update : exim (openSUSE-SU-2010:1052-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2011-0153.NASL
    descriptionFrom Red Hat Security Advisory 2011:0153 : Updated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on UNIX systems connected to the Internet. A privilege escalation flaw was discovered in Exim. If an attacker were able to gain access to the
    last seen2020-06-01
    modified2020-06-02
    plugin id68180
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68180
    titleOracle Linux 4 / 5 : exim (ELSA-2011-0153)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201401-32.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201401-32 (Exim: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id72159
    published2014-01-28
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72159
    titleGLSA-201401-32 : Exim: Multiple vulnerabilities
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20110117_EXIM_ON_SL4_X.NASL
    descriptionA privilege escalation flaw was discovered in Exim. If an attacker were able to gain access to the
    last seen2020-06-01
    modified2020-06-02
    plugin id60936
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60936
    titleScientific Linux Security Update : exim on SL4.x, SL5.x i386/x86_64

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/96605/exim4_string_format.rb.txt
idPACKETSTORM:96605
last seen2016-12-05
published2010-12-11
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/96605/Exim4-4.69-string_format-Function-Heap-Buffer-Overflow.html
titleExim4 <= 4.69 string_format Function Heap Buffer Overflow

Redhat

advisories
bugzilla
id662012
titleCVE-2010-4345 exim privilege escalation
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • commentexim-sa is earlier than 0:4.43-1.RHEL4.5.el4_8.3
          ovaloval:com.redhat.rhsa:tst:20110153001
        • commentexim-sa is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20100970006
      • AND
        • commentexim-doc is earlier than 0:4.43-1.RHEL4.5.el4_8.3
          ovaloval:com.redhat.rhsa:tst:20110153003
        • commentexim-doc is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20100970008
      • AND
        • commentexim-mon is earlier than 0:4.43-1.RHEL4.5.el4_8.3
          ovaloval:com.redhat.rhsa:tst:20110153005
        • commentexim-mon is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20100970002
      • AND
        • commentexim is earlier than 0:4.43-1.RHEL4.5.el4_8.3
          ovaloval:com.redhat.rhsa:tst:20110153007
        • commentexim is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20100970004
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentexim-mon is earlier than 0:4.63-5.el5_6.2
          ovaloval:com.redhat.rhsa:tst:20110153010
        • commentexim-mon is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20100970011
      • AND
        • commentexim is earlier than 0:4.63-5.el5_6.2
          ovaloval:com.redhat.rhsa:tst:20110153012
        • commentexim is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20100970013
      • AND
        • commentexim-sa is earlier than 0:4.63-5.el5_6.2
          ovaloval:com.redhat.rhsa:tst:20110153014
        • commentexim-sa is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20100970015
rhsa
idRHSA-2011:0153
released2011-01-17
severityModerate
titleRHSA-2011:0153: exim security update (Moderate)
rpms
  • exim-0:4.43-1.RHEL4.5.el4_8.3
  • exim-0:4.63-5.el5_6.2
  • exim-debuginfo-0:4.43-1.RHEL4.5.el4_8.3
  • exim-debuginfo-0:4.63-5.el5_6.2
  • exim-doc-0:4.43-1.RHEL4.5.el4_8.3
  • exim-mon-0:4.43-1.RHEL4.5.el4_8.3
  • exim-mon-0:4.63-5.el5_6.2
  • exim-sa-0:4.43-1.RHEL4.5.el4_8.3
  • exim-sa-0:4.63-5.el5_6.2

Seebug

bulletinFamilyexploit
descriptionNo description provided by source.
idSSV:71417
last seen2017-11-19
modified2014-07-01
published2014-07-01
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-71417
titleExim4 <= 4.69 - string_format Function Heap Buffer Overflow

References