24-Jul-2009: CVE-2009-1970 PoC (CPUjul2009)

This PoC works with at least these Listeners:

11.1.0.6.0 win32

10.2.0.4 win32

10.1.0.5 win32

It makes Listener crashing and require relatively fast network. On other side, server's heavy load may be very helpful environment for this.

Basically, all what it do, is just sending these two TNS commands to host, in eternal loop:

(CONNECT_DATA=(COMMAND=service_register)(SERVICE_ID=1CB5887660D7-11DD-9EBE-000C29E11606)(ADDRESS=(PROTOCOL=TCP)(HOST=some_host)(PORT=1098))(FLAGS=2))

and

(CONNECT_DATA=(COMMAND=service_register)(SERVICE_ID=1CB5887660D7-11DD-9EBE-000C29E11606)(ADDRESS=(PROTOCOL=TCP)(HOST=some_host)(PORT=1098))(FLAGS=2)(HANDOFF=OFF))

Probably, it is not a matter of service_register command parameters, but parameters set should be slightly different.

Use hostname or IP-address of victim host as argument in command-line and run.

If I'm correct (I may not) this problem is related to nsdisc() function in network layer. Listener closes connection using this function. It frees some memory, but the same chunk of memory is used again for next connection.

Download source code + win32 executable.


This open sourced site and this page in particular is hosted on GitHub. Patches, suggestions and comments are welcome.


→ [list of blog posts, my twitter/facebook]

Please drop me email about any bug(s) and suggestion(s): dennis(@)yurichev.com.