CVE-2014-3804
published 2014-06-13CVE-2014-3804: The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1)…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.38%
99.4th percentile
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) update_system_info_debian_package, (2) ossec_task, (3) set_ossim_setup admin_ip, (4) sync_rserver, or (5) set_ossim_setup framework_ip request, a different vulnerability than CVE-2014-3805.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alienvault | open_source_security_information_management | <= 4.6.1 | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for HTTPS POST requests to /av-centerd on port 40007 with a SOAPAction header containing 'AV/CC/Util#sync_rserver' and a uuid parameter value containing shell metacharacters (e.g., '&', '|', ';', backtick) not covered by the blacklist. ↗
- →Detect exploitation of update_system_info_debian_package by monitoring POST requests to /av-centerd on port 40007 with SOAPAction 'AV/CC/Util#update_system_info_debian_package' containing perl backtick or shell injection patterns in SOAP body parameters. ↗
- →Alert on SOAP requests to /av-centerd where the uuid or package parameter field contains '& ' followed by arbitrary commands, matching the injection pattern used in the sync_rserver exploit. ↗
- →Monitor for the SOAP server response header 'SOAPServer: SOAP::Lite' on port 40007 combined with 'alienvault-center' version strings below 4.7.0 to identify vulnerable targets. ↗
- →The incomplete blacklist in sync_rserver only blocks [;`\$\\|] — alert on uuid values containing '&', '<', '>', '(', ')', newline, or other shell metacharacters not in this set. ↗
- ·The exploit uses SSL (HTTPS) on port 40007 by default; detection rules must account for TLS-encrypted traffic and may require SSL inspection to inspect SOAP body content. ↗
- ·CVE-2014-3804 (sync_rserver / Util.pm) is a distinct vulnerability from CVE-2014-3805 (get_license, get_log_line, update_system/upgrade_pro_web); detection signatures should not conflate the two. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f68v-p32j-mqvq: The av-centerd SOAP service in AlienVault OSSIM before 4
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2014-3805 [CRITICAL] CWE-94 GHSA-f68v-p32j-mqvq: The av-centerd SOAP service in AlienVault OSSIM before 4
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) get_license, (2) get_log_line, or (3) update_system/upgrade_pro_web request, a different vulnerability than CVE-2014-3804.
GHSA
GHSA-3f7x-rf2q-c7q4: The av-centerd SOAP service in AlienVault OSSIM before 4
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2014-5210 [CRITICAL] CWE-94 GHSA-3f7x-rf2q-c7q4: The av-centerd SOAP service in AlienVault OSSIM before 4
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.
GHSA
GHSA-wmc3-5pmj-wx7f: The av-centerd SOAP service in AlienVault OSSIM before 4
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2014-3804 [CRITICAL] CWE-94 GHSA-wmc3-5pmj-wx7f: The av-centerd SOAP service in AlienVault OSSIM before 4
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) update_system_info_debian_package, (2) ossec_task, (3) set_ossim_setup admin_ip, (4) sync_rserver, or (5) set_ossim_setup framework_ip request, a different vulnerability than CVE-2014-3805.
No detection rules found.
Exploit-DB
Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit)
exploitdb·2017-09-13
CVE-2014-3804 Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit)
Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit)
---
require 'msf/core'
class MetasploitModule 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability found within the sync_rserver
function in Util.pm. The vulnerability is triggered due to an incomplete blacklist
during the parsing of the $uuid parameter. This allows for the escaping of a system
command allowing for arbitrary command execution as root
},
'References' =>
[
[ 'CVE', '2014-3804' ],
[ 'ZDI', '14-197' ],
[ 'URL', 'http://forums.alienvault.com/discussion/2690' ],
],
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Jun 11 2014')
register_options([
Opt::RPORT(40007),
OptBool.ne
Exploit-DB
Alienvault Open Source SIEM (OSSIM) - av-centerd Command Injection (Metasploit)
exploitdb·2014-06-24
CVE-2014-3804 Alienvault Open Source SIEM (OSSIM) - av-centerd Command Injection (Metasploit)
Alienvault Open Source SIEM (OSSIM) - av-centerd Command Injection (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 'AlienVault OSSIM av-centerd Command Injection',
'Description' => %q{
This module exploits a code execution flaw in AlienVault 4.6.1 and
prior. The vulnerability exists in the av-centerd SOAP web service,
where the update_system_info_debian_package method uses perl backticks
in an insecure way, allowing command injection. This module has been
tested successfully on AlienVault 4.6.0.
},
'Author' =>
[
'Unknown', # From HP ZDI team, Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_L
Metasploit
AlienVault OSSIM av-centerd Command Injection
metasploit
AlienVault OSSIM av-centerd Command Injection
AlienVault OSSIM av-centerd Command Injection
This module exploits a code execution flaw in AlienVault 4.6.1 and prior. The vulnerability exists in the av-centerd SOAP web service, where the update_system_info_debian_package method uses perl backticks in an insecure way, allowing command injection. This module has been tested successfully on AlienVault 4.6.0.
No writeups or analysis indexed.
http://forums.alienvault.com/discussion/2690http://zerodayinitiative.com/advisories/ZDI-14-196/http://zerodayinitiative.com/advisories/ZDI-14-197/http://zerodayinitiative.com/advisories/ZDI-14-200/http://zerodayinitiative.com/advisories/ZDI-14-201/http://zerodayinitiative.com/advisories/ZDI-14-202/https://www.exploit-db.com/exploits/42708/http://forums.alienvault.com/discussion/2690http://zerodayinitiative.com/advisories/ZDI-14-196/http://zerodayinitiative.com/advisories/ZDI-14-197/http://zerodayinitiative.com/advisories/ZDI-14-200/http://zerodayinitiative.com/advisories/ZDI-14-201/http://zerodayinitiative.com/advisories/ZDI-14-202/https://www.exploit-db.com/exploits/42708/
2014-06-13
Published