OSSIM v2.2 Multiple Vulnerabilities
Posted on 17 March 2010
=================================== OSSIM v2.2 Multiple Vulnerabilities =================================== Advisory Name: Arbitrary File Download in OSSIM Vulnerability Class: Arbitrary File Download Release Date: 03-16-2010 Affected Applications: Confirmed in OSSIM 2.2. Other versions may also be affected. Affected Platforms: Multiple Local / Remote: Remote Severity: High – CVSS: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) Researcher: Nahuel Grisol?a Vendor Status: Fixed in OSSIM 2.2.1 Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: OSSIM is prone to a Arbitrary File Download vulnerability because the software fails to adequately sanitize user-supplied input. The file “download.php” in “/ossiminstall/repository/” directory suffers from an Arbitrary File Download vulnerability due to the missed input validation on the "file" parameter; in particular no validation is done on path traversal patterns. Proof of Concept: http://192.168.2.35/ossim/repository/download.php?file=../../../../../../../../etc/passwd&name=passwd.txt Impact: Through this vulnerability remote and unauthenticated users could download any file accessible by the Web server and by reading source files a malicious user could read important information such as database passwords. Solution: Fixed in OSSIM 2.2.1. See http://www.alienvault.com/community.php?section=News Vendor Response: 02-03-2010 – Initial contact 03-11-2010 – OSSIM 2.2.1 is available Advisory Name: Arbitrary File Upload in OSSIM Vulnerability Class: Arbitrary File Upload Release Date: 03-16-2010 Affected Applications: Confirmed in OSSIM 2.2. Other versions may also be affected. Affected Platforms: Multiple Local / Remote: Remote Severity: High – CVSS: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Researcher: Nahuel Grisol?a Vendor Status: Fixed in OSSIM 2.2.1 Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: The vulnerability is caused due to an improper check in “/ossiminstall/repository/repository_attachment.php” script, allowing the upload of files with arbitrary extensions to a folder inside the Webroot. This can be exploited to e.g. execute arbitrary PHP code by uploading a specially crafted PHP script containing some kind of Web Shell. Proof of Concept: Select a file with any extension (including PHP) and upload it using the form. The file will be available inside Webroot. Impact: Direct execution of arbitrary PHP code in the Web Server. Solution: Fixed in OSSIM 2.2.1. See http://www.alienvault.com/community.php?section=News Advisory Name: Remote Command Execution in OSSIM Vulnerability Class: Remote Command Execution Release Date: 03-16-2010 Affected Applications: Confirmed in OSSIM 2.2. Other versions may also be affected. Affected Platforms: Multiple Local / Remote: Remote Severity: High – CVSS: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Researcher: Nahuel Grisol?a Vendor Status: Fixed in OSSIM 2.2.1 Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: OSSIM is prone to a remote command execution vulnerability because the software fails to adequately sanitize user-supplied input. Successful attacks can compromise the affected software and possibly the computer running OSSIM. Proof of Concept: http://192.168.X.X/ossim/sem/storage_graphs.php?uniqueid=199&what=;cat /etc/passwd > /tmp/passwd; http://192.168.X.X/ossim/sem/storage_graphs2.php?uniqueid=199&what=;cat /etc/passwd > /tmp/passwd; http://192.168.X.X/ossim/sem/storage_graphs3.php?uniqueid=199&what=;cat /etc/passwd > /tmp/passwd; http://192.168.X.X/ossim/sem/storage_graphs4.php?uniqueid=199&what=;cat /etc/passwd > /tmp/passwd; Impact: Direct execution of arbitrary code in the context of Web server user. Solution: Fixed in OSSIM 2.2.1. See http://www.alienvault.com/community.php?section=News Vendor Response: 02-03-2010 – Initial contact 03-11-2010 – OSSIM 2.2.1 is available # ~ - [ [ : Inj3ct0r : ] ]
