Vulnerabilities > CVE-2008-4008 - Unspecified vulnerability in Oracle BEA Product Suite

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

oracle

critical

nessus

exploit available

metasploit

NVD

Published: 2008-10-14

Updated: 2012-10-23

Summary

Unspecified vulnerability in the WebLogic Server Plugins for Apache component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2008 CPU. Oracle has not commented on reliable researcher claims that this issue is a stack-based buffer overflow in the WebLogic Apache Connector, related to an invalid parameter.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle BEA Product Suite 6.1 Oracle BEA Product Suite 7.0 Oracle BEA Product Suite 8.1 Oracle BEA Product Suite 9.0 Oracle BEA Product Suite 9.1 Oracle BEA Product Suite 9.2 Oracle BEA Product Suite 10.0 Oracle BEA Product Suite 10.3	8

Exploit-Db

description	BEA Weblogic Transfer-Encoding Buffer Overflow. CVE-2008-4008. Remote exploit for windows platform
id	EDB-ID:16796
last seen	2016-02-02
modified	2010-07-08
published	2010-07-08
reporter	metasploit
source	https://www.exploit-db.com/download/16796/
title	BEA Weblogic Transfer-Encoding Buffer Overflow

Metasploit

description	This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. This vulnerability exists in the error reporting for unknown Transfer-Encoding headers. You may have to run this twice due to timing issues with handlers.
id	MSF:EXPLOIT/WINDOWS/HTTP/BEA_WEBLOGIC_TRANSFER_ENCODING
last seen	2020-05-26
modified	2017-07-24
published	2008-10-22
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4008
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb
title	BEA Weblogic Transfer-Encoding Buffer Overflow

Nessus

NASL family	Web Servers
NASL id	WEBLOGIC_MOD_WL_1150354.NASL
description	The remote web server is using the WebLogic plug-in for Apache (mod_wl), an Apache module included with Oracle (formerly BEA) WebLogic Server and used to proxy requests from an Apache HTTP server to WebLogic. The version of this plug-in on the remote host is affected by a stack buffer overflow that is triggered when processing a request with an invalid parameter. An unauthenticated, remote attacker can leverage this issue to execute arbitrary code on the remote host. Note that Nessus has not tried to exploit this issue but rather has only checked the affected module
last seen	2020-06-01
modified	2020-06-02
plugin id	34781
published	2008-11-16
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/34781
title	Oracle WebLogic Server mod_wl Invalid Parameter Remote Overflow (1150354)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(34781); script_version("1.16"); script_cve_id("CVE-2008-4008"); script_bugtraq_id(31683, 31761); script_name(english:"Oracle WebLogic Server mod_wl Invalid Parameter Remote Overflow (1150354)"); script_summary(english:"Sends a POST request to get the plug-in's build timestamp"); script_set_attribute(attribute:"synopsis", value: "The remote web server uses a module that is affected by a buffer overflow vulnerability." ); script_set_attribute(attribute:"description", value: "The remote web server is using the WebLogic plug-in for Apache (mod_wl), an Apache module included with Oracle (formerly BEA) WebLogic Server and used to proxy requests from an Apache HTTP server to WebLogic. The version of this plug-in on the remote host is affected by a stack buffer overflow that is triggered when processing a request with an invalid parameter. An unauthenticated, remote attacker can leverage this issue to execute arbitrary code on the remote host. Note that Nessus has not tried to exploit this issue but rather has only checked the affected module's build timestamp." ); # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=751 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e539ff75" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/497969/30/0/threaded" ); # http://www.oracle.com/technetwork/topics/security/whatsnew/index.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1bbe3e7" ); script_set_attribute(attribute:"solution", value: "Install the latest web server plug-in as described in the vendor advisory above." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'BEA Weblogic Transfer-Encoding Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2008/11/16"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:oracle:weblogic_server"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!get_port_state(port)) exit(0); # Make sure the banner looks like Apache. banner = get_http_banner(port:port); if ( !banner \|\| !egrep(pattern:"^Server:.*(Apache\|Oracle HTTP Server\|IBM_HTTP_SERVER\|IBM_HTTP_Server)", string:banner) ) exit(0); # Iterate over known directories. dirs = get_kb_list(string("www/", port, "/content/directories")); if (isnull(dirs)) dirs = make_list("", "/weblogic"); foreach dir (dirs) { # Look for the plug-in and a bridge message. url = string(dir, "/index.jsp"); res = http_send_recv3(method:"GET", item:url, port:port); if (res == NULL) exit(0); # nb: if there's a problem with configured WebLogic server, the initial # request results in a bridge message we can use to fingerprint the # plug-in. Otherwise, we pass in a special request to "tickle" one. if ("X-Powered-By: Servlet" >< res[1]) { res = http_send_recv3( method:"POST", item:url, port:port, add_headers:make_array("Content-Length", "-1") ); if (res == NULL) exit(0); } # If it's a bridge message from Apache... if ( "TITLE>Weblogic Bridge Message" >< res[2] \|\| "Failure of server APACHE bridge:</H2>" >< res[2] ) { build = ""; change = ""; foreach line (split(res[2], keep:FALSE)) { if ("Build date/time:" >< line) { build = strstr(line, "Build date/time:") - "Build date/time:"; build = ereg_replace(pattern:"<[^>]+>", replace:"", string:build); build = ereg_replace(pattern:"^ +", replace:"", string:build); } if ("Change Number:" >< line) { change = strstr(line, "Change Number:") - "Change Number:"; change = ereg_replace(pattern:"<[^>]+>", replace:"", string:change); change = ereg_replace(pattern:"^ +", replace:"", string:change); } if (build && change) break; } if ( (change && int(change) < 1150354) \|\| ( build && ( build =~ "^[A-Za-z]{3} ( \|[0-3])[0-9] (1[0-9]{3}\|200[0-7]) " \|\| build =~ "^(Jan\|Feb\|Mar\|Apr\|May\|Jun\|Jul\|Aug) ( \|[0-3])[0-9] 2008 " ) ) ) { if (report_verbosity > 0) { report = string( "\n", "Nessus was able to retrieve the following information about the remote\n", "WebLogic plug-in :\n", "\n", " Plug-in type : Apache\n" ); if (build) { report = string( report, " Build date/time : ", build, "\n" ); } if (change) { report = string( report, " Change number : ", change, "\n" ); } if (report_verbosity > 1) { report = string( report, "\n", "It is configured to proxy requests such as :\n", "\n", " ", build_url(port:port, qs:url), "\n" ); } security_hole(port:port, extra:report); } else security_hole(port); } # We've found the plug-in so we're done. exit(0); } }

Packetstorm

data source	https://packetstormsecurity.com/files/download/83221/bea_weblogic_transfer_encoding.rb.txt
id	PACKETSTORM:83221
last seen	2016-12-05
published	2009-11-26
reporter	Pusscat
source	https://packetstormsecurity.com/files/83221/BEA-Weblogic-Transfer-Encoding-Buffer-Overflow.html
title	BEA Weblogic Transfer-Encoding Buffer Overflow

Saint

bid	31683
description	Oracle WebLogic Server Apache Connector Transfer-Encoding buffer overflow
id	web_dev_weblogicapachever
osvdb	49283
title	weblogic_apache_connector_transfer_encoding
type	remote

Seebug

bulletinFamily	exploit
description	CVE(CAN) ID: CVE-2008-4008 WebLogic包含多种应用系统集成方案，包括Server/Express/Integration等。 WebLogic的Apache连接器实现上存在漏洞，模块做处理请求所带的畸形参数时，未进行长度检查就把字符串拷贝到固定长度的栈缓冲区中，远程攻击者可能利用此漏洞触发栈溢出，导致执行任意指令。 Oracle WebLogic Server Oracle ------ 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html target=_blank>http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html</a>
id	SSV:4398
last seen	2017-11-19
modified	2008-11-04
published	2008-11-04
reporter	Root
title	Oracle WebLogic Apache连接器远程缓冲区溢出漏洞

bulletinFamily	exploit
description	BUGTRAQ ID: 31683 CVE(CAN) ID: CVE-2008-4008,CVE-2008-4009,CVE-2008-4010,CVE-2008-4011,CVE-2008-4012,CVE-2008-4013,CVE-2008-4000,CVE-2008-4001,CVE-2008-4002,CVE-2008-4003,CVE-2008-4004,CVE-2008-3985,CVE-2008-3988,CVE-2008-3998,CVE-2008-3619,CVE-2008-3993,CVE-2008-3975,CVE-2008-3977,CVE-2008-3588,CVE-2008-3986,CVE-2008-3987,CVE-2008-3989,CVE-2008-2624,CVE-2008-3996,CVE-2008-3992,CVE-2008-3976,CVE-2008-3982,CVE-2008-3983,CVE-2008-3984,CVE-2008-3994,CVE-2008-3980,CVE-2008-4005,CVE-2008-2625,CVE-2008-3990,CVE-2008-3991 Oracle Database是一款商业性质大型数据库系统。 Oracle发布了2008年7月的紧急补丁更新公告，修复了多个Oracle产品中的多个漏洞。这些漏洞影响Oracle产品的所有安全属性，可导致本地和远程的威胁。其中一些漏洞可能需要各种级别的授权，但也有些不需要任何授权。最严重的漏洞可能导致完全入侵数据库系统。目前已知的漏洞包括： BEA WebLogic Workshop中有关NetUI标签的漏洞可能导致信息泄露。 BEA WebLogic Server在使用多个授权者（如XACMLAuthorizer和DefaultAuthorizer）时的错误可能允许绕过某些安全限制。 Apache的WebLogic插件中的错误可能导致完全的系统入侵。将Bea WebLogic Server 8.1SP3升级到更高版本可能导致无效用户可以使用之前受保护的应用。成功攻击要求使用了CLIENT-CERT认证方式。 Oracle Application Server 9.0.4.3 Oracle Application Server 10.1.3.4.0 Oracle Application Server 10.1.3.0.0 Oracle Application Server 10.1.2.3.0 Oracle Application Server 10.1.2.2.0 Oracle E-Business Suite 12.0.4 Oracle E-Business Suite 11.5.10.2 Oracle Database 9.2.0.8DV Oracle Database 9.2.0.8 Oracle Database 11.1.0.6 Oracle Database 10.2.0.4 Oracle Database 10.2.0.3 Oracle Database 10.2.0.2 Oracle Database 10.1.0.5 Oracle JD Edwards EnterpriseOne Tools 8.98 Oracle JD Edwards EnterpriseOne Tools 8.97 Oracle PeopleSoft Enterprise PeopleTools 8.49.14 Oracle PeopleSoft Enterprise PeopleTools 8.48.18 Oracle WebLogic Server 9.2 Oracle WebLogic Server 9.1 Oracle WebLogic Server 9.0 Oracle WebLogic Server 8.1 Oracle WebLogic Server 7.0 Oracle WebLogic Server 6.1 Oracle WebLogic Server 10.0 Oracle PeopleSoft Enterprise Portal 9.0 Oracle PeopleSoft Enterprise Portal 8.9 Oracle Workshop for WebLogic 9.2 Oracle Workshop for WebLogic 9.1 Oracle Workshop for WebLogic 9.0 Oracle Workshop for WebLogic 8.1 Oracle Workshop for WebLogic 10.3 GA Oracle Workshop for WebLogic 10.2 GA Oracle Workshop for WebLogic 10.0 厂商补丁： Oracle ------ Oracle已经为此发布了一个安全公告（cpuoct2008）以及相应补丁: cpuoct2008：Oracle Critical Patch Update Advisory - October 2008 链接：<a href=http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html?_template=/o target=_blank>http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html?_template=/o</a>
id	SSV:4264
last seen	2017-11-19
modified	2008-10-20
published	2008-10-20
reporter	Root
title	Oracle 2008年10月紧急补丁更新修复多个漏洞

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Packetstorm

Saint

Seebug

References