CVE-2009-1138 | Vulnerability Database | Aqua Security

The LDAP service in Active Directory on Microsoft Windows 2000 SP4 does not properly free memory for LDAP and LDAPS requests, which allows remote attackers to execute arbitrary code via a request that uses hexadecimal encoding, whose associated memory is not released, related to a DN AttributeValue, aka Active Directory Invalid Free Vulnerability. NOTE: this issue is probably a memory leak.

Affected Software

Name	Vendor	Start Version	End Version
Windows_2000	Microsoft	*	*

References

http://support.avaya.com/elmodocs2/security/ASA-2009-214.htm
http://www.securitytracker.com/id?1022349
http://osvdb.org/54937
http://secunia.com/advisories/35355
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=804
http://www.securityfocus.com/bid/35226
http://www.vupen.com/english/advisories/2009/1537
http://www.us-cert.gov/cas/techalerts/TA09-160A.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6180
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-018

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-1138
CWE	https://cwe.mitre.org/data/definitions/399.html