Analogi ( Web Interface for OSSEC ) SQL Injection Vulnerability

Analogi ( Web Interface for OSSEC ) SQL Injection Vulnerability

Hey

This weekend, I’ve decided to install Ossec into my lab. I was planning see how ossec is working and what is detection rate on reverse/bind connections.. When I’ve installed Ossec agent and server I was thinking about develop nodeJS application in order to print out every data on screen with real time so I decided to search similar project like this. After several google search I came across with Analogi.

https://github.com/ECSC/analogi

Technical Analysis

Analogi has been developed with PHP and it’s can be found on github. Actually it seems quite popular to me. I thought I should look at source code for stored xss and sqli. Because ossec gathering data from agents and this “data” should be generated by clients (attackers) . I was reading codes from this perspective but I’ve found something else, sql injection and it’s very basic one.

Following codes grabbed from manager.php file.

if(isset($_GET['action']) && $_GET['action']=='delete' && preg_match("/\/management.php/", $_SERVER['HTTP_REFERER'])){
	# Yes I know the referer is fakable, but this is to help reduce CSRF attacks from remote links, and not to prevent malicious browsers

	$where="";
	# delete ruleid
	if(isset($_GET['rule_id']) && is_numeric($_GET['rule_id']) && strlen($_GET['rule_id'])>0){
		$where.="alert.rule_id=".$_GET['rule_id']." AND ";
	}
	
	# deletelevel
	if(isset($_GET['level']) && is_numeric($_GET['level']) && $_GET['level']>0){
		$where.="signature.level=".$_GET['level']." AND ";
	}
	
	# deletebefore
	if(isset($_GET['before']) && is_numeric($_GET['before']) && $_GET['before']>0){
		$where.="alert.timestamp<".$_GET['before']." AND ";
	}
	# delete source
	if(isset($_GET['source']) && strlen($_GET['source'])>0){
		$where.="location.name like \"".$_GET['source']."%\" AND ";
	}
	# delete path
	if(isset($_GET['path']) && strlen($_GET['path'])>0){
		$where.="location.name like \"%".$_GET['path']."\" AND ";
	}
	# delete data
	if(isset($_GET['datamatch']) && strlen($_GET['datamatch'])>0){
		$where.="data.full_log like \"%".$_GET['datamatch']."%\" AND ";
	}
	
	$query="";
	# Only run if paramters set, do NOT empty the database!
	if(strlen($where) > 0){

		# remove the last 'AND '
		$where=substr($where,0,-4);

		$querydelete="DELETE alert, data FROM alert
			LEFT JOIN data ON alert.id=data.id
			LEFT JOIN signature ON alert.rule_id=signature.rule_id
			LEFT JOIN location ON alert.location_id=location.id
			WHERE ".$where;
		$resultdelete=mysql_query($querydelete, $db_ossec);
		if($resultdelete==1){
			# MySQL version of vaccum... this actually removes the data
			$query="OPTIMIZE TABLE alert;";
			mysql_query($query, $db_ossec);
			$query="OPTIMIZE TABLE data;";
			mysql_query($query, $db_ossec);
		}
	
		if($glb_detailsql==1){
		#	For niceness show the SQL queries, just incase you want to dig deeper your self
			echo "<div class='clr' style='padding-bottom:20px;'></div>
				<div class='fleft top10header'>SQL (".$resultdelete.")</div>
				<div class='fleft tiny' style=''>".htmlspecialchars($querydelete)."</div>";
		}
	}	
}

Line 1 = Expect action variable as a defined and equal to delete. Also Referer should be equal to manager.php file.

Line 2 = Good comments..

Line 24 = Use path variable into the query without any sanitaze and set it into the $where variable.

Line 30 = Append $where variable end of the query string.

There is too many other vulnerability can be found same file.

Result

Analogi can be usefull but it really non-secure app. I would recommed Logstash or similar technologies rather then php apps.