CVE-2010-1039

NFS/ONCplus < b.11.31_09 - Remote Code Execution via Format String in RPC Request

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-1039. PoCs published by Rodrigo Rubira Branco.

AI-analyzed exploit summary This exploit targets a format string vulnerability in rpc.pcnfsd, specifically CVE-2010-1039. It sends maliciously crafted RPC requests to trigger the vulnerability, potentially leading to remote code execution on vulnerable systems.

Description

Format string vulnerability in the _msgout function in rpc.pcnfsd in IBM AIX 6.1, 5.3, and earlier; IBM VIOS 2.1, 1.5, and earlier; NFS/ONCplus B.11.31_09 and earlier on HP HP-UX B.11.11, B.11.23, and B.11.31; and SGI IRIX 6.5 allows remote attackers to execute arbitrary code via an RPC request containing format string specifiers in an invalid directory name.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Rodrigo Rubira Branco · cremoteaix

https://www.exploit-db.com/exploits/14407

View Code ZIP pw:eip

This exploit targets a format string vulnerability in rpc.pcnfsd, specifically CVE-2010-1039. It sends maliciously crafted RPC requests to trigger the vulnerability, potentially leading to remote code execution on vulnerable systems.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: rpc.pcnfsd (tested against AIX 6.1.0 and lower)

No auth needed

Prerequisites: Network access to the target system · rpc.pcnfsd service running on the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (26)

Core 26

Core References

Various Sources x_refsource_confirm

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=5088

Various Sources vendor-advisory x_refsource_aixapar

http://www.ibm.com/support/docview.wss?uid=isg1IZ75465

Various Sources vendor-advisory x_refsource_aixapar

http://www.ibm.com/support/docview.wss?uid=isg1IZ75440

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/64729

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/39911

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11986

Patch vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/40248

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1023994

Various Sources vendor-advisory x_refsource_aixapar

http://www.ibm.com/support/docview.wss?uid=isg1IZ75369

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/1213

Various Sources vendor-advisory x_refsource_aixapar

http://www.ibm.com/support/docview.wss?uid=isg1IZ73757

Various Sources vendor-advisory x_refsource_aixapar

http://www.ibm.com/support/docview.wss?uid=isg1IZ73599

Various Sources x_refsource_misc

http://www.checkpoint.com/defense/advisories/public/2010/cpai-13-May.html

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/511405/100/0/threaded

Vendor Advisory vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=127428077629933&w=2

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12103

Various Sources vendor-advisory x_refsource_aixapar

http://www.ibm.com/support/docview.wss?uid=isg1IZ73874

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/1199

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/39835

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/58718

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1024016

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/1212

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2010/1211

Various Sources x_refsource_confirm

http://aix.software.ibm.com/aix/efixes/security/pcnfsd_advisory.asc

Various Sources vendor-advisory x_refsource_aixapar

http://www.ibm.com/support/docview.wss?uid=isg1IZ73590

Various Sources vendor-advisory x_refsource_aixapar

http://www.ibm.com/support/docview.wss?uid=isg1IZ73681

Scores

EPSS 0.2017

EPSS Percentile 97.1%

Details

CWE

CWE-134

Status published

Products (42)

hp/nfs\/oncplus < b.11.31_09

ibm/aix 1.2.1

ibm/aix 1.3

ibm/aix 2.2.1

ibm/aix 3.1

ibm/aix 3.2

ibm/aix 3.2.0

ibm/aix 3.2.4

ibm/aix 3.2.5

ibm/aix 4

... and 32 more

Published May 20, 2010

Tracked Since Feb 18, 2026