CVE-2016-8580
published 2016-10-28CVE-2016-8580: PHP object injection vulnerabilities exist in multiple widget files in AlienVault OSSIM and USM before 5.3.2. These vulnerabilities allow arbitrary PHP code…
PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.86%
93.2th percentile
PHP object injection vulnerabilities exist in multiple widget files in AlienVault OSSIM and USM before 5.3.2. These vulnerabilities allow arbitrary PHP code execution via magic methods in included classes.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alienvault | open_source_security_information_and_event_management | <= 5.3.1 | — |
| alienvault | unified_security_management | <= 5.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect PHP object injection attempts by monitoring GET requests to widget PHP files under /ossim/dashboard/sections/widgets/data/ containing serialized PHP object payloads (e.g., 'O:' or 'a:' prefixed URL-encoded strings) in the 'value' parameter. ↗
- →Alert on HTTP requests to gauge.php (or other widget files) with the User-Agent 'AV Report Scheduler' — this is the authentication bypass header used to access the vulnerable endpoint without credentials. ↗
- →Detect SQL injection via error-based extractvalue() payloads in the 'value' GET parameter of gauge.php, specifically patterns matching 'extractvalue(rand(),concat(0x3a' or 'XPATH syntax error' in HTTP responses. ↗
- →Monitor for POST requests to /ossim/action/modifyactions.php with 'action_type=2' and an 'exec_command' parameter containing Python payloads, indicating rogue action creation for OS command execution. ↗
- →Monitor for POST requests to /ossim/policy/newpolicy.php immediately following action creation, which is the step used to arm the rogue action via a policy trigger. ↗
- →Detect the exploit trigger phase: an SSH login attempt to port 22 as 'root' with a random password immediately after policy creation, which is used to fire the rogue policy/action chain. ↗
- →Detect X-Forwarded-For header spoofing on requests to OSSIM widget and policy endpoints — the exploit sets X-Forwarded-For to the attacker's own IP to bypass IP-based access controls. ↗
- →Look for the IDS_Report PHP class name appearing in serialized object payloads sent to widget endpoints, as it is the class used in the published PoC to trigger the __toString magic method. ↗
- ·The session hijack via SQL injection only succeeds if at least one administrator session exists in the sessions table at the time of exploitation; an empty table will cause the exploit to fail. ↗
- ·The vulnerability affects AlienVault OSSIM and USM versions up to and including 5.3.1; version 5.3.2 contains the fix. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)
exploitdb·2017-01-31
CVE-2016-8580 AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)
AlienVault OSSIM/USM "AlienVault OSSIM/USM Remote Code Execution",
'Description' => %q{
This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together.
Unauthenticated users can execute arbitrary commands under the context of the root user.
By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
action and policy that enables to execute operating system commands by using captured session token. As a final step,
SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes
operating system command with root user privileges.
This mod
Exploit-DB
Alienvault OSSIM/USM 5.3.1 - PHP Object Injection
exploitdb·2016-11-02·CVSS 9.8
CVE-2016-8580 [CRITICAL] Alienvault OSSIM/USM 5.3.1 - PHP Object Injection
Alienvault OSSIM/USM 5.3.1 - PHP Object Injection
---
Details
Product: Alienvault OSSIM/USM
Vulnerability: PHP Object Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8580
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
A PHP object injection vulnerability exists in multiple widget files
due to the unsafe use of the unserialize() function. The affected
files include flow_chart.php, gauge.php, honeypot.php,
image.php,inventory.php, otx.php, rss.php, security.php, siem.php,
taxonomy.php, tickets.php, and url.php.
An authenticated attacker could send a serialized PHP object to one of
the vulnerable pages and potentially gain code execution via magic
methods in included classes.
POC
====
This benign POC injects the IDS_Report class from PHPIDS i
No writeups or analysis indexed.
http://www.securityfocus.com/bid/93864https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilitieshttps://www.exploit-db.com/exploits/40682/http://www.securityfocus.com/bid/93864https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilitieshttps://www.exploit-db.com/exploits/40682/
2016-10-28
Published