CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
Low
EPSS
Percentile
100.0%
Added: 01/20/2009
CVE: CVE-2008-5448
BID: 33177
OSVDB: 51342
Oracle Secure Backup is a centralized tape backup management solution for Oracle Database.
A command injection vulnerability in the Oracle Secure Backup web interface allows a remote attacker to execute arbitrary commands specified in the **rbtool**
parameter in an HTTP request for the **login.php**
script.
Apply the patch referenced in the Oracle Critical Patch Update Advisory - January 2009.
http://www.zerodayinitiative.com/advisories/ZDI-09-003/
Exploit works on Oracle Secure Backup 10.1.0.3.
The IO-Socket-SSL PERL module is required for this exploit to run. This module is available from http://www.cpan.org/modules/by-module/IO/.
When the target is Windows, this exploit must be able to bind to port 69/UDP in order to succeed.
When the target is Linux, the target must have the “nc” utility in order for the exploit to succeed.
Windows
Linux