cbcvebase.
CVE-2002-0965
published 2002-10-04

CVE-2002-0965: Buffer overflow in TNS Listener for Oracle 9i Database Server on Windows systems, and Oracle 8 on VM, allows local users to execute arbitrary code via a long…

PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.81%
99.3th percentile
Buffer overflow in TNS Listener for Oracle 9i Database Server on Windows systems, and Oracle 8 on VM, allows local users to execute arbitrary code via a long SERVICE_NAME parameter, which is not properly handled when writing an error message to a log file.

Affected

3 ranges
VendorProductVersion rangeFixed in
oracleoracle9i
oracleoracle9i
oracleoracle9i

Detection & IOCsextracted from sources · hover to see the quote

port1521
other0x60a1e154
command(CONNECT_DATA=(COMMAND=VERSION))
command(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<rhost>(PORT=<rport>))(CONNECT_DATA=(SERVICE_NAME=<overflow_buff>)(CID=(PROGRAM=MSF))))
  • Detect TNS packets with an abnormally long SERVICE_NAME field (>6392 bytes) in the CONNECT_DATA, which is the overflow trigger for this vulnerability.
  • Monitor TNS traffic on port 1521 for CONNECT_DATA packets containing CID=(PROGRAM=MSF), which is a Metasploit-specific fingerprint left in the exploit packet.
  • Use the TNS VERSION command probe (CONNECT_DATA=(COMMAND=VERSION)) followed by a check for '32-bit Windows: Version 8.1.7.0.0' in the response as an attacker reconnaissance indicator.
  • Flag exploit payloads using a stack adjustment of -3500 bytes combined with a short JMP over a NOP sled targeting return address 0x60a1e154 on Oracle 8.1.7.0.0 Windows targets.
  • Bad characters for payload filtering in this exploit include null bytes and common URL/shell metacharacters; payloads will consist of uppercase alpha text with these bytes absent.
  • ·The exploit targets only Oracle 8.1.7.0.0 Standard Edition on Windows 2000 and Windows 2003; the return address 0x60a1e154 is version-specific and will not work on other builds.
  • ·The vulnerability is described as local on Windows and also affects Oracle 8 on VM; the Metasploit module treats it as a remote network exploit over TCP/1521, so detection scope should cover both local and network attack vectors.
  • ·The payload space is limited to 600 bytes; shellcode larger than this will not fit within the exploit's buffer constraints.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.