22-Jan-2010: CVE-2010-0071

CVE-2010-0071 discovered by me was patched in CPUjan2010:

The CVSS Base Score of 10.0 for the Windows platform denotes that a successful exploitation of this vulnerability can result in a full compromise of the targeted system down to the Operating System level. However, for Linux, Unix, and other platforms, a compromise down to the Operating System is not possible. For these platforms, a successful exploitation of the vulnerability will result in a compromise limited to the database server layer.

Here is PoC (Python script). It is not full exploit, what it do is: while running on win32, nsglvcrt() Listener function attempt to allocate huge memory block and copy *something* to it.

TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95))
TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020
TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab))

(addresses are for TNS Listener win32 unpatched)

If I correct, nsglvcrt() function is involved in new service creation.

→ [list of blog posts]