cbcvebase.
CVE-2008-4008
published 2008-10-14

CVE-2008-4008: Unspecified vulnerability in the WebLogic Server Plugins for Apache component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
56.27%
98.9th percentile
Unspecified vulnerability in the WebLogic Server Plugins for Apache component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2008 CPU. Oracle has not commented on reliable researcher claims that this issue is a stack-based buffer overflow in the WebLogic Apache Connector, related to an invalid parameter.

Affected

8 ranges
VendorProductVersion rangeFixed in
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite

Detection & IOCsextracted from sources · hover to see the quote

other0x1001f4d6
bytes
\xe9\x5e\xe9\xff\xff
  • Detect oversized or malformed Transfer-Encoding header values in HTTP POST requests to Apache/WebLogic connector endpoints; the exploit sends a ~5800-byte alphanumeric string as the Transfer-Encoding header value.
  • Alert on HTTP POST requests where the Transfer-Encoding header is not a standard value (e.g., 'chunked', 'identity') and is unusually long (thousands of bytes), targeting servers with Apache/WebLogic plugin (Server header matching /Apache/).
  • The exploit uses a SEH-based overflow with a backward jump stub (\xe9\x5e\xe9\xff\xff) at offset 5789 of the payload; look for this byte sequence in HTTP header fields.
  • The exploit sets VHOST to 'localhost' and targets /index.jsp via HTTP POST; monitor for POST requests to /index.jsp with anomalous Transfer-Encoding headers from external sources.
  • The SEH overwrite uses the ROP gadget at address 0x1001f4d6 (pop/pop/ret) within the WebLogic Apache connector DLL; memory forensics or crash dumps showing EIP/SEH pointing to this address indicate exploitation.
  • ·The Metasploit module targets Windows Apache 2.2 only (Universal target); the ROP gadget address 0x1001f4d6 is specific to this platform/version combination and will not apply to other OS or Apache versions.
  • ·The exploit may require multiple attempts due to race conditions in the handler; a single failed attempt should not be treated as a definitive indicator of non-exploitation.
  • ·Payload bad characters are \x00, \x0d, \x0a; shellcode signatures containing these bytes will not appear in the exploit traffic, so null-byte or CRLF-based detection will miss the payload.
  • ·The vulnerability details are officially unspecified by Oracle; the stack-based buffer overflow attribution to the Transfer-Encoding header is based on independent researcher claims, not vendor confirmation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.