CVE-2009-1978
published 2009-07-14CVE-2009-1978: Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity…
PriorityP270critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
64.69%
99.1th percentile
Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the July 2009 Oracle CPU. Oracle has not commented on claims from an independent researcher that this vulnerability allows remote authenticated users to execute arbitrary code with SYSTEM privileges via vectors involving property_box.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | secure_backup | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass attempts against Oracle Secure Backup login.php: look for POST requests with the parameter value `uname=--fakeoption` (option-injection style bypass) combined with any password value. ↗
- →Detect command injection in property_box.php via the `vollist` parameter: alert on GET requests to /property_box.php containing shell metacharacters (e.g., `%26`, `&`) in the `vollist` query parameter with `type=CheckProperties`. ↗
- →Monitor for creation or HTTP GET access to the file `osb103shelltmp` on the Oracle Secure Backup web root, which is used as a command output staging file by the exploit. ↗
- →The exploit targets Oracle Secure Backup Administration Server over HTTPS; monitor for unauthenticated or anomalous HTTPS sessions to the OSB admin web interface followed immediately by requests to property_box.php. ↗
- →Exploitation results in arbitrary command execution with SYSTEM privileges on Windows; monitor for unexpected child processes spawned from the Oracle Secure Backup web service process (e.g., cmd.exe). ↗
- ·The authentication bypass (CVE-2009-1977) is a prerequisite for exploiting this command injection (CVE-2009-1978); both vulnerabilities are chained in the wild. Detection logic should account for the two-stage attack flow: auth bypass on login.php first, then injection on property_box.php. ↗
- ·The PoC was confirmed against Oracle Secure Backup 10.3.0.1.0 on Win32; the NVD advisory references version 10.2.0.3. Detection rules should not be version-gated too narrowly. ↗
- ·The exploit communicates exclusively over HTTPS (self-signed/untrusted cert, using curl -k); TLS inspection may be required to detect the malicious payloads in transit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection
exploitdb·2009-09-14·CVSS 10.0
CVE-2009-1977 [CRITICAL] Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection
Oracle Secure Backup Server 10.3.0.1.0 - Authentication Bypass / Remote Code Injection
---
#!/bin/bash
#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978
#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3
#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
#authentication bypass and a trivial command injection, resulting in arbitrary command execution.
#References:
#http://www.zerodayinitiative.com/advisories/ZD
Metasploit
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
metasploit
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
This module exploits an authentication bypass vulnerability in login.php in order to execute arbitrary code via a command injection vulnerability in property_box.php. This module was tested against Oracle Secure Backup version 10.3.0.1.0 (Win32).
No writeups or analysis indexed.
http://osvdb.org/55904http://secunia.com/advisories/35776http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.htmlhttp://www.securityfocus.com/bid/35678http://www.securitytracker.com/id?1022565http://www.vupen.com/english/advisories/2009/1900http://www.zerodayinitiative.com/advisories/ZDI-09-059/https://exchange.xforce.ibmcloud.com/vulnerabilities/51762http://osvdb.org/55904http://secunia.com/advisories/35776http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.htmlhttp://www.securityfocus.com/bid/35678http://www.securitytracker.com/id?1022565http://www.vupen.com/english/advisories/2009/1900http://www.zerodayinitiative.com/advisories/ZDI-09-059/https://exchange.xforce.ibmcloud.com/vulnerabilities/51762
2009-07-14
Published