CVE-2008-4008
published 2008-10-14CVE-2008-4008: Unspecified vulnerability in the WebLogic Server Plugins for Apache component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
56.27%
98.9th percentile
Unspecified vulnerability in the WebLogic Server Plugins for Apache component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2008 CPU. Oracle has not commented on reliable researcher claims that this issue is a stack-based buffer overflow in the WebLogic Apache Connector, related to an invalid parameter.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xe9\x5e\xe9\xff\xff
- →Detect oversized or malformed Transfer-Encoding header values in HTTP POST requests to Apache/WebLogic connector endpoints; the exploit sends a ~5800-byte alphanumeric string as the Transfer-Encoding header value. ↗
- →Alert on HTTP POST requests where the Transfer-Encoding header is not a standard value (e.g., 'chunked', 'identity') and is unusually long (thousands of bytes), targeting servers with Apache/WebLogic plugin (Server header matching /Apache/). ↗
- →The exploit uses a SEH-based overflow with a backward jump stub (\xe9\x5e\xe9\xff\xff) at offset 5789 of the payload; look for this byte sequence in HTTP header fields. ↗
- →The exploit sets VHOST to 'localhost' and targets /index.jsp via HTTP POST; monitor for POST requests to /index.jsp with anomalous Transfer-Encoding headers from external sources. ↗
- →The SEH overwrite uses the ROP gadget at address 0x1001f4d6 (pop/pop/ret) within the WebLogic Apache connector DLL; memory forensics or crash dumps showing EIP/SEH pointing to this address indicate exploitation. ↗
- ·The Metasploit module targets Windows Apache 2.2 only (Universal target); the ROP gadget address 0x1001f4d6 is specific to this platform/version combination and will not apply to other OS or Apache versions. ↗
- ·The exploit may require multiple attempts due to race conditions in the handler; a single failed attempt should not be treated as a definitive indicator of non-exploitation. ↗
- ·Payload bad characters are \x00, \x0d, \x0a; shellcode signatures containing these bytes will not appear in the exploit traffic, so null-byte or CRLF-based detection will miss the payload. ↗
- ·The vulnerability details are officially unspecified by Oracle; the stack-based buffer overflow attribution to the Transfer-Encoding header is based on independent researcher claims, not vendor confirmation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BEA Weblogic - Transfer-Encoding Buffer Overflow (Metasploit)
exploitdb·2010-07-08
CVE-2008-4008 BEA Weblogic - Transfer-Encoding Buffer Overflow (Metasploit)
BEA Weblogic - Transfer-Encoding Buffer Overflow (Metasploit)
---
##
# $Id: bea_weblogic_transfer_encoding.rb 9744 2010-07-08 23:34:50Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /Apache/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'BEA Weblogic Transfer-Encoding Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the BEA
Weblogic Apache plugin. This vulnerability exists in the
error reporti
Metasploit
BEA Weblogic Transfer-Encoding Buffer Overflow
metasploit
BEA Weblogic Transfer-Encoding Buffer Overflow
BEA Weblogic Transfer-Encoding Buffer Overflow
This module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. This vulnerability exists in the error reporting for unknown Transfer-Encoding headers. You may have to run this twice due to timing issues with handlers.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=751http://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.htmlhttp://www.securitytracker.com/id?1021056http://www.vupen.com/english/advisories/2008/2825http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=751http://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.htmlhttp://www.securitytracker.com/id?1021056http://www.vupen.com/english/advisories/2008/2825
2008-10-14
Published