cbcvebase.
CVE-2008-5444
published 2009-01-14

CVE-2008-5444: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
60.62%
99.0th percentile
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2008-5448 and CVE-2008-5449.

Affected

1 ranges
VendorProductVersion rangeFixed in
oraclesecure_backup

Detection & IOCsextracted from sources · hover to see the quote

port10000
other0x608f5a28
other0x901
filenameoracore10.dll
bytes
\x81\xc4\x54\xf2\xff\xff
  • Detect exploitation attempts by monitoring for oversized NDMP_CONNECT_CLIENT_AUTH packets (username field ~3789+ bytes) sent to TCP port 10000 targeting Oracle Secure Backup.
  • Alert on NDMP message type 0x901 (NDMP_CONNECT_CLIENT_AUTH) on TCP/10000 with abnormally large username length fields (N-packed value exceeding normal bounds).
  • Look for the stack-adjustment prepend encoder byte sequence \x81\xc4\x54\xf2\xff\xff in the payload body of NDMP traffic on port 10000 as a shellcode indicator.
  • Monitor for return-address value 0x608f5a28 (oracore10.dll) appearing in network traffic to TCP/10000, indicating exploitation targeting Windows 2003 SP0 / XP SP3.
  • ·The Metasploit module only targets Oracle Secure Backup 10.1.0.3 on Windows 2003 SP0 and Windows XP SP3; the ROP/return address (0x608f5a28 in oracore10.dll) is version-specific and will not work against other builds.
  • ·The payload space is limited to 1024 bytes and null bytes (\x00) are bad characters; detections relying on raw shellcode patterns must account for encoding.
  • ·The exploit uses a StackAdjustment of -3500 bytes via the prepend encoder, meaning the actual shellcode execution context is significantly offset from the overflow point.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.