cbcvebase.
CVE-2003-0727
published 2003-10-20

CVE-2003-0727: Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack…

PriorityP425low2.1CVSS 2.0
AVLACLAuNCNINAP
EXPLOIT
EPSS
68.55%
99.2th percentile
Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions.

Detection & IOCsextracted from sources · hover to see the quote

port2100
port2100
port8080
commandUNLOCK / <overly long token>
commandUNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn...
registry0x60616d46
otherret = "\x46\x6d\x61\x60" #0x60616d46 Little endian form
otherexception_handler = \x79\x9B\xf7\x77
othershort_jump = \xEB\x06\x90\x90
port9989
  • Detect oversized FTP UNLOCK command on port 2100 targeting Oracle XDB; exploit sends a buffer of ~1130 bytes to the UNLOCK command with SEH overwrite at offset 322
  • Detect HTTP Basic Authorization header with anomalously long base64-encoded credential sent to Oracle XDB HTTP service (port 8080); exploit embeds shellcode in the Authorization: Basic field
  • Detect HTTP GET request with oversized Authorization: Basic header to Oracle XDB HTTP port; exploit payload includes \xeb\x64 short jump and NOP sled pattern before shellcode
  • Check Oracle XDB FTP banner for version string '9.2.0.1.0' to identify vulnerable instances
  • Oracle XDB default credentials used by exploits for authentication prior to overflow: dbsnmp:dbsnmp, scott:tiger, system:manager, sys:change_on_install
  • FTP exploit authenticates with default credentials (DBSNMP/DBSNMP) before sending the UNLOCK overflow; monitor FTP login attempts with these credentials on port 2100
  • Exploit uses oraclient9.dll pop/pop/ret gadget at 0x60616d46 as SEH handler overwrite target; presence of this return address in network traffic or memory indicates exploitation attempt
  • ·The FTP exploit targets Oracle 9.2.0.1 Universal only; the Metasploit module has a single target and will not work against other patch levels without modification
  • ·The HTTP PASS exploit targets Windows x86 only (win32, winnt, win2000, winxp, win2003); the stack adjustment prepend (\x81\xc4\xff\xef\xff\xff\x44) is platform-specific
  • ·Payload bad characters for the FTP UNLOCK exploit are \x00\x20\x0a\x0d; shellcode must avoid these bytes
  • ·The HTTP PASS exploit requires a stack adjustment prepended to the shellcode before encoding
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.