2

22-Jan-2010: CVE-2010-0071

 3 years ago
source link: https://yurichev.com/blog/38/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
Dennis Yurichev

22-Jan-2010: CVE-2010-0071

CVE-2010-0071 discovered by me was patched in CPUjan2010:

The CVSS Base Score of 10.0 for the Windows platform denotes that a successful exploitation of this vulnerability can result in a full compromise of the targeted system down to the Operating System level. However, for Linux, Unix, and other platforms, a compromise down to the Operating System is not possible. For these platforms, a successful exploitation of the vulnerability will result in a compromise limited to the database server layer.

Here is PoC (Python script). It is not full exploit, what it do is: while running on 11.1.0.7.0 win32, nsglvcrt() Listener function attempt to allocate huge memory block and copy *something* to it.

TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95))
TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020
TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab))

(addresses are for TNS Listener 11.1.0.7.0 win32 unpatched)

If I correct, nsglvcrt() function is involved in new service creation.

→ [list of blog posts]


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK