CVE-2010-0071 discovered by me was patched in CPUjan2010:
The CVSS Base Score of 10.0 for the Windows platform denotes that a successful exploitation of this vulnerability can result in a full compromise of the targeted system down to the Operating System level. However, for Linux, Unix, and other platforms, a compromise down to the Operating System is not possible. For these platforms, a successful exploitation of the vulnerability will result in a compromise limited to the database server layer.
Here is PoC (Python script). It is not full exploit, what it do is: while running on 18.104.22.168.0 win32, nsglvcrt() Listener function attempt to allocate huge memory block and copy *something* to it.
TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95)) TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020 TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab))
(addresses are for TNS Listener 22.214.171.124.0 win32 unpatched)
If I correct, nsglvcrt() function is involved in new service creation.
→ [list of blog posts]Please drop me email about any bug(s) and suggestion(s): dennis(@)yurichev.com.