CVE-2009-1977
published 2009-07-14CVE-2009-1977: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.64%
99.4th percentile
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the July 2009 Oracle CPU. Oracle has not commented on claims from an independent researcher that this vulnerability allows attackers to bypass authentication via unknown vectors involving the username parameter and login.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | secure_backup | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass is triggered by supplying a username value beginning with '--' (double-dash, option-injection style) to the uname parameter in a POST to /login.php, which returns a valid PHPSESSID without correct credentials. ↗
- →Command injection occurs via the 'vollist' GET parameter in /property_box.php with type=CheckProperties; payloads use URL-encoded shell metacharacters (e.g., %26 for '&') to chain OS commands. ↗
- →The attack chain targets Oracle Secure Backup Administration Server over HTTPS; alert on POST requests to /login.php with a uname value starting with '--' followed by GET requests to /property_box.php with a vollist parameter containing URL-encoded shell operators. ↗
- →The vulnerability involves the 'username parameter' in login.php; monitor for anomalous or option-like values (e.g., values starting with '--') in the uname POST field. ↗
- ·The exploit and Metasploit module were tested specifically against Oracle Secure Backup 10.3.0.1.0 (Win32); the NVD advisory references version 10.2.0.3 as the patched baseline — behavior may differ across versions. ↗
- ·The PoC exploit requires 'curl' with HTTPS support to be present on the attacker system; the Oracle Secure Backup admin server must be reachable over HTTPS (port 443). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection
exploitdb·2009-09-14·CVSS 10.0
CVE-2009-1977 [CRITICAL] Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection
Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection
---
#!/bin/bash
#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978
#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3
#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
#authentication bypass and a trivial command injection, resulting in arbitrary command execution.
#References:
#http://www.zerodayinitiative.com/advisories/ZD
Metasploit
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
metasploit
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
No writeups or analysis indexed.
http://osvdb.org/55903http://secunia.com/advisories/35776http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.htmlhttp://www.securityfocus.com/bid/35672http://www.securitytracker.com/id?1022565http://www.vupen.com/english/advisories/2009/1900http://www.zerodayinitiative.com/advisories/ZDI-09-058/https://exchange.xforce.ibmcloud.com/vulnerabilities/51761http://osvdb.org/55903http://secunia.com/advisories/35776http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.htmlhttp://www.securityfocus.com/bid/35672http://www.securitytracker.com/id?1022565http://www.vupen.com/english/advisories/2009/1900http://www.zerodayinitiative.com/advisories/ZDI-09-058/https://exchange.xforce.ibmcloud.com/vulnerabilities/51761
2009-07-14
Published