Skip to content
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
24 lines (14 sloc) 1.41 KB
_HEADER_HL1(`22-Jan-2010: CVE-2010-0071')
<p>CVE-2010-0071 discovered by me was patched in CPUjan2010:</p>
<p><a href="">The CVSS Base Score of 10.0 for the Windows platform denotes that a successful exploitation of this vulnerability can result in a full compromise of the targeted system down to the Operating System level. However, for Linux, Unix, and other platforms, a compromise down to the Operating System is not possible. For these platforms, a successful exploitation of the vulnerability will result in a compromise limited to the database server layer.</a></p>
<p><a href="//">Here is PoC</a> (Python script). It is not full exploit, what it do is: while running on win32, nsglvcrt() Listener function attempt to allocate huge memory block and copy *something* to it.</p>
TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95))
TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020
TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab))
<p>(addresses are for TNS Listener win32 unpatched)</p>
<p>If I correct, nsglvcrt() function is involved in new service creation.</p>
You can’t perform that action at this time.