CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
88.4%
Added: 06/22/2009
CVE: CVE-2008-4006
BID: 33177
OSVDB: 51343
Oracle Secure Backup is a centralized tape backup management solution for Oracle Database.
A command execution vulnerability in the Oracle Secure Backup web interface allows remote attackers to execute arbitrary commands specified in the **ora_osb_lcookie**
parameter in an HTTP request for **login.php**
.
Apply the patch referenced in the Oracle Critical Patch Update for January 2009.
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=768>
Exploit works on Oracle Secure Backup 10.1.0.3.
When exploiting Windows targets, SAINTexploit must be able to bind to port 69/UDP.
When exploiting Linux targets, the “nc” utility must be installed on the target platform.
The IO-Socket-SSL PERL module is required for this exploit to run. This module is available from <http://www.cpan.org/modules/by-module/IO/>.
Windows
Linux