module
AlienVault OSSIM/USM Remote Code Execution
| Disclosed | Created |
|---|---|
| 01/31/2017 | 05/30/2018 |
Disclosed
01/31/2017
Created
05/30/2018
Description
This module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together.
Unauthenticated users can execute arbitrary commands under the context of the root user.
By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
action and policy that enables to execute operating system commands by using captured session token. As a final step,
SSH login attempt with an invalid credentials can trigger a created rogue policy which triggers an action that executes
operating system command with root user privileges.
This module was tested against following product and versions:
AlienVault USM 5.3.0, 5.2.5, 5.0.0, 4.15.11, 4.5.0
AlienVault OSSIM 5.0.0, 4.6.1
Unauthenticated users can execute arbitrary commands under the context of the root user.
By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
action and policy that enables to execute operating system commands by using captured session token. As a final step,
SSH login attempt with an invalid credentials can trigger a created rogue policy which triggers an action that executes
operating system command with root user privileges.
This module was tested against following product and versions:
AlienVault USM 5.3.0, 5.2.5, 5.0.0, 4.15.11, 4.5.0
AlienVault OSSIM 5.0.0, 4.6.1
Authors
Peter LappMehmet Ince
Platform
Python
Architectures
python
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/http/alienvault_exec
msf /(c) > show actions
...actions...
msf /(c) > set ACTION < action-name >
msf /(c) > show options
...show and set options...
msf /(c) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.