Hey
This weekend, I’ve decided to install Ossec into my lab. I was planning see how ossec is working and what is detection rate on reverse/bind connections.. When I’ve installed Ossec agent and server I was thinking about develop nodeJS application in order to print out every data on screen with real time so I decided to search similar project like this. After several google search I came across with Analogi.
https://github.com/ECSC/analogi
Technical Analysis
Analogi has been developed with PHP and it’s can be found on github. Actually it seems quite popular to me. I thought I should look at source code for stored xss and sqli. Because ossec gathering data from agents and this “data” should be generated by clients (attackers) . I was reading codes from this perspective but I’ve found something else, sql injection and it’s very basic one.
Following codes grabbed from manager.php file.
if(isset($_GET['action']) && $_GET['action']=='delete' && preg_match("/\/management.php/", $_SERVER['HTTP_REFERER'])){
# Yes I know the referer is fakable, but this is to help reduce CSRF attacks from remote links, and not to prevent malicious browsers
$where="";
# delete ruleid
if(isset($_GET['rule_id']) && is_numeric($_GET['rule_id']) && strlen($_GET['rule_id'])>0){
$where.="alert.rule_id=".$_GET['rule_id']." AND ";
}
# deletelevel
if(isset($_GET['level']) && is_numeric($_GET['level']) && $_GET['level']>0){
$where.="signature.level=".$_GET['level']." AND ";
}
# deletebefore
if(isset($_GET['before']) && is_numeric($_GET['before']) && $_GET['before']>0){
$where.="alert.timestamp<".$_GET['before']." AND ";
}
# delete source
if(isset($_GET['source']) && strlen($_GET['source'])>0){
$where.="location.name like \"".$_GET['source']."%\" AND ";
}
# delete path
if(isset($_GET['path']) && strlen($_GET['path'])>0){
$where.="location.name like \"%".$_GET['path']."\" AND ";
}
# delete data
if(isset($_GET['datamatch']) && strlen($_GET['datamatch'])>0){
$where.="data.full_log like \"%".$_GET['datamatch']."%\" AND ";
}
$query="";
# Only run if paramters set, do NOT empty the database!
if(strlen($where) > 0){
# remove the last 'AND '
$where=substr($where,0,-4);
$querydelete="DELETE alert, data FROM alert
LEFT JOIN data ON alert.id=data.id
LEFT JOIN signature ON alert.rule_id=signature.rule_id
LEFT JOIN location ON alert.location_id=location.id
WHERE ".$where;
$resultdelete=mysql_query($querydelete, $db_ossec);
if($resultdelete==1){
# MySQL version of vaccum... this actually removes the data
$query="OPTIMIZE TABLE alert;";
mysql_query($query, $db_ossec);
$query="OPTIMIZE TABLE data;";
mysql_query($query, $db_ossec);
}
if($glb_detailsql==1){
# For niceness show the SQL queries, just incase you want to dig deeper your self
echo "<div class='clr' style='padding-bottom:20px;'></div>
<div class='fleft top10header'>SQL (".$resultdelete.")</div>
<div class='fleft tiny' style=''>".htmlspecialchars($querydelete)."</div>";
}
}
}
Line 1 = Expect action variable as a defined and equal to delete. Also Referer should be equal to manager.php file.
Line 2 = Good comments..
Line 24 = Use path variable into the query without any sanitaze and set it into the $where variable.
Line 30 = Append $where variable end of the query string.
There is too many other vulnerability can be found same file.
Result
Analogi can be usefull but it really non-secure app. I would recommed Logstash or similar technologies rather then php apps.