Vulnerabilities > CVE-2008-5448 - Multiple vulnerability in Oracle Secure Backup 10.2.0.2

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

oracle

critical

nessus

metasploit

NVD

Published: 2009-01-14

Updated: 2016-11-22

Summary

Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2008-5444 and CVE-2008-5449.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Secure Backup 10.2.0.2	1

D2sec

name Oracle Secure Backup 10.2.0.2 RCE (Linux)
url http://www.d2sec.com/exploits/oracle_secure_backup_10.2.0.2_rce_linux.html
name Oracle Secure Backup 10.2.0.2 RCE (Windows)
url http://www.d2sec.com/exploits/oracle_secure_backup_10.2.0.2_rce_windows.html

Metasploit

description	This module exploits a command injection vulnerability in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.
id	MSF:AUXILIARY/ADMIN/ORACLE/OSB_EXECQR
last seen	2020-01-22
modified	2017-08-25
published	2009-02-23
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5448 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/oracle/osb_execqr.rb
title	Oracle Secure Backup exec_qr() Command Injection Vulnerability

Nessus

NASL family	CGI abuses
NASL id	ORACLE_SECURE_BACKUP_CMD.NASL
description	The remote version of Oracle Secure Backup Administration Server fails to sanitize user-supplied input to various parameters used in the
last seen	2020-06-01
modified	2020-06-02
plugin id	35363
published	2009-01-14
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/35363
title	Oracle Secure Backup Administration Server login.php Arbitrary Command Injection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(35363); script_version("1.32"); script_cve_id("CVE-2008-4006","CVE-2008-5448"); script_bugtraq_id(33177); script_name(english:"Oracle Secure Backup Administration Server login.php Arbitrary Command Injection"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that allows execution of arbitrary commands." ); script_set_attribute(attribute:"description", value: "The remote version of Oracle Secure Backup Administration Server fails to sanitize user-supplied input to various parameters used in the 'login.php' script before using it. By sending specially crafted arguments an attacker can exploit it to execute code on the remote host with the web server privileges. By default the server runs with SYSTEM privileges under Windows." ); # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=768 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5ad19c95" ); script_set_attribute(attribute:"solution", value: "Apply patches referenced in the vendor advisory above." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"d2_elliot_name", value:"Oracle Secure Backup 10.2.0.2 RCE (Windows)"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_set_attribute(attribute:"cpe",value:"cpe:/a:oracle:secure_backup"); script_set_attribute(attribute:"plugin_publication_date", value: "2009/01/14"); script_set_attribute(attribute:"patch_publication_date", value: "2009/01/13"); script_cvs_date("Date: 2018/07/18 17:43:55"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:oracle:secure_backup"); script_end_attributes(); summary["english"] = "Checks for multiple remote command execution vulnerabilities in Oracle Secure Backup Administration Server"; script_summary(english:summary["english"]); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 443); script_require_keys("www/PHP"); script_exclude_keys("Settings/disable_cgi_scanning"); exit(0); } include("misc_func.inc"); include("global_settings.inc"); include("http.inc"); port = get_http_port(default:443, php: 1); res = http_get_cache(item:"/login.php", port:port, exit_on_fail: 1); if ("<title>Oracle Secure Backup Web Interface</title>" >!< res) exit(0); soc = open_sock_tcp(port); if (!soc) exit(0); req = string ( "GET /login.php?attempt=1&uname=nessus%20%26%20nessus HTTP/1.1\r\n", "Host: ", get_host_name(), "\r\n", "\r\n" ); send(socket:soc, data:req); buf = recv(socket:soc, length:4096); if (!egrep(string:buf, pattern:"^.(PHPSESSID=[0-9a-z]+;).$")) exit(0); cookie = ereg_replace(string:buf, pattern:"^.(PHPSESSID=[0-9a-z]+;).$", replace:"\1"); req = string ( "GET /index.php HTTP/1.1\r\n", "Host: ", get_host_name(), "\r\n", "Cookie: ", cookie, "\r\n", "\r\n" ); send(socket:soc, data:req); buf = recv(socket:soc, length:10000, timeout:20); if ("Logged in as" >< buf) security_hole(port);

Saint

bid 33177
description Oracle Secure Backup NDMP_CONECT_CLIENT_AUTH buffer overflow
id database_oracle_backupndmpbo,database_oracle_backupver
osvdb 51340
title oracle_secure_backup_ndmp_clientauth
type remote
bid 33177
description Oracle Secure Backup login.php rbtool command injection
id database_oracle_backupver
osvdb 51342
title oracle_secure_backup_login_rbtool
type remote
bid 33177
description Oracle Secure Backup login.php ora_osb_lcookie command execution
id database_oracle_backupver
osvdb 51343
title oracle_secure_backup_login_lcookie
type remote
bid 33177
description Oracle WebLogic Server IIS Connector JSESSIONID buffer overflow
title weblogic_iis_connector_jsessionid
type remote
bid 33177
description Oracle Database OLAP component ODCITABLESTART buffer overflow
id database_oracle_version
osvdb 51347
title oracle_olap_odcitablestart
type remote

name	Oracle Secure Backup 10.2.0.2 RCE (Linux)
url	http://www.d2sec.com/exploits/oracle_secure_backup_10.2.0.2_rce_linux.html

name	Oracle Secure Backup 10.2.0.2 RCE (Windows)
url	http://www.d2sec.com/exploits/oracle_secure_backup_10.2.0.2_rce_windows.html

bid	33177
description	Oracle Secure Backup NDMP_CONECT_CLIENT_AUTH buffer overflow
id	database_oracle_backupndmpbo,database_oracle_backupver
osvdb	51340
title	oracle_secure_backup_ndmp_clientauth
type	remote

Summary

Vulnerable Configurations

D2sec

Metasploit

Nessus

Saint

References