CVE-2016-8582
published 2016-10-28CVE-2016-8582: A vulnerability exists in gauge.php of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to execute an arbitrary SQL query and retrieve database…
PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
57.43%
99.0th percentile
A vulnerability exists in gauge.php of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to execute an arbitrary SQL query and retrieve database information or read local system files via MySQL's LOAD_FILE.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alienvault | open_source_security_information_and_event_management | <= 5.3.1 | — |
| alienvault | unified_security_management | <= 5.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ossim/dashboard/sections/widgets/data/gauge.php?&type=alarm&wtype=blah&asset=1&height=1&value=a%3A1%3A%7Bs%3A4%3A%22type%22%3Bs%3A67%3A%22pass+from+users+INTO+OUTFILE+%27%2Ftmp%2F10.0.0.123_pass_tshark.pcap%27--+-%22%3B%7D↗
- →Detect HTTP requests to gauge.php containing a serialized PHP array in the 'value' parameter — the payload encodes a SQL query in the 'type' field of the serialized object (e.g. 'a:1:{s:4:"type";s:...'). ↗
- →Alert on HTTP requests to gauge.php whose 'value' parameter contains URL-encoded INTO OUTFILE or LOAD_FILE SQL keywords, indicating blind SQLi or file-read exploitation. ↗
- →Monitor for sequential access pattern: POST/GET to gauge.php followed by a GET to /ossim/pcap/download.php — this two-step pattern is used to exfiltrate SQL query output written to a file. ↗
- →The Metasploit module chains this SQLi (CVE-2016-8582) with object injection and IP spoofing to leak an admin session token, then creates a rogue action/policy and triggers it via an SSH login with invalid credentials to achieve RCE as root. Detect anomalous SSH login attempts to the AlienVault sensor following web requests to gauge.php. ↗
- ·Exploitation of the SQLi in gauge.php requires authentication in the standalone CVE-2016-8582 scenario; however, the Metasploit module bypasses authentication by chaining an authentication bypass vulnerability, making the SQLi reachable unauthenticated. ↗
- ·The SQL injection result is not reflected in the HTTP response; detection based solely on response content inspection will miss this vulnerability — out-of-band (INTO OUTFILE + download.php retrieval) or time-based blind detection is required. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Alienvault OSSIM/USM 5.3.1 - SQL Injection
exploitdb·2016-11-02·CVSS 9.8
CVE-2016-8582 [CRITICAL] Alienvault OSSIM/USM 5.3.1 - SQL Injection
Alienvault OSSIM/USM 5.3.1 - SQL Injection
---
Details
Product: Alienvault OSSIM/USM
Vulnerability: SQL Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8582
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
A SQL injection vulnerability exists in the value parameter of
/ossim/dashboard/sections/widgets/data/gauge.php on line 231. By
sending a serialized array with a SQL query in the type field, it's
possible to execute an arbitrary SQL query. The result is not
displayed on the screen, but it can be exploited as a blind SQLi or
have the output directed to a file and then retrieved via another
request. Authentication is required.
POC
===
This request will dump user password hashes to a file:
/ossim/dashboard/sections/widgets/data/gauge.php?&ty
Metasploit
AlienVault OSSIM/USM Remote Code Execution
metasploit
AlienVault OSSIM/USM Remote Code Execution
AlienVault OSSIM/USM Remote Code Execution
This module exploits object injection, authentication bypass and ip spoofing vulnerabilities all together. Unauthenticated users can execute arbitrary commands under the context of the root user. By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue action and policy that enables to execute operating system commands by using captured session token. As a final step, SSH login attempt with an invalid credentials can trigger a created rogue policy which triggers an action that executes operating system command with root user privileges. This module was tested against following product an
No writeups or analysis indexed.
http://www.securityfocus.com/bid/93866https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilitieshttps://www.exploit-db.com/exploits/40684/http://www.securityfocus.com/bid/93866https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilitieshttps://www.exploit-db.com/exploits/40684/
2016-10-28
Published