cbcvebase.
CVE-2009-1978
published 2009-07-14

CVE-2009-1978: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity…

PriorityP270critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
64.69%
99.1th percentile
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the July 2009 Oracle CPU. Oracle has not commented on claims from an independent researcher that this vulnerability allows remote authenticated users to execute arbitrary code with SYSTEM privileges via vectors involving property_box.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
oraclesecure_backup

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<TARGET>/login.php
urlhttps://<TARGET>/property_box.php?type=CheckProperties&vollist=<PAYLOAD>
cookiePHPSESSID=<session>
path/login.php
path/property_box.php
filenameosb103shelltmp
commanduname=--fakeoption&passwd=fakepwd
commandtype=CheckProperties&vollist=1%26ver>osb103shelltmp
  • Detect authentication bypass attempts against Oracle Secure Backup login.php: look for POST requests with the parameter value `uname=--fakeoption` (option-injection style bypass) combined with any password value.
  • Detect command injection in property_box.php via the `vollist` parameter: alert on GET requests to /property_box.php containing shell metacharacters (e.g., `%26`, `&`) in the `vollist` query parameter with `type=CheckProperties`.
  • Monitor for creation or HTTP GET access to the file `osb103shelltmp` on the Oracle Secure Backup web root, which is used as a command output staging file by the exploit.
  • The exploit targets Oracle Secure Backup Administration Server over HTTPS; monitor for unauthenticated or anomalous HTTPS sessions to the OSB admin web interface followed immediately by requests to property_box.php.
  • Exploitation results in arbitrary command execution with SYSTEM privileges on Windows; monitor for unexpected child processes spawned from the Oracle Secure Backup web service process (e.g., cmd.exe).
  • ·The authentication bypass (CVE-2009-1977) is a prerequisite for exploiting this command injection (CVE-2009-1978); both vulnerabilities are chained in the wild. Detection logic should account for the two-stage attack flow: auth bypass on login.php first, then injection on property_box.php.
  • ·The PoC was confirmed against Oracle Secure Backup 10.3.0.1.0 on Win32; the NVD advisory references version 10.2.0.3. Detection rules should not be version-gated too narrowly.
  • ·The exploit communicates exclusively over HTTPS (self-signed/untrusted cert, using curl -k); TLS inspection may be required to detect the malicious payloads in transit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.