Comments (7)
jrossi
commented on August 18, 2024
I did not think this was exploitable. But I can see it. @awiddersheim do you have time to look at this?
@ossec think a fix to this should get pulled to stable before release.
from ossec-hids.
mstarks01
commented on August 18, 2024
This is a valid issue and will be labelled high risk with some security scanners. Lots of apps, including those like McAfee, have had this issue flagged. I don't necessarily agree that it is a high risk given that non-administrators usually don't have logon local rights, but it is what it is. The fix is easy.
from ossec-hids.
awiddersheim
commented on August 18, 2024
I will try and fix tomorrow morning.
from ossec-hids.
jrossi
commented on August 18, 2024
Thank you. I am not able to get online till Sunday maybe not Monday. Let me know if you cannot and I will go to Starbucks and patch
from ossec-hids.
awiddersheim
commented on August 18, 2024
This seems to have already been fixed and I think @sercanacar might be looking at an older version. I found the fixing commit below which fixes the same thing @sercanacar reported:
I installed v2.7.1 and I don't see any issues.
The actual service installation and how it installs now does add quotes around the string here:
https://github.com/ossec/ossec-hids/blob/master/src/win32/win_agent.c#L106
This is before the InstallService() function gets called (if ever depending on user input). @sercanacar What version of OSSEC are you running? @jrossi Can you provide a link to the latest beta version for him to try there to see if it is still an issue?
from ossec-hids.
awiddersheim
commented on August 18, 2024
@sercanacar You should be able to download the v2.8 beta-1 from here:
http://www.ossec.net/?page_id=19
This should fix the issue. Please report back if not.
from ossec-hids.
mstarks01
commented on August 18, 2024
FYI, the Nessus plugin ID which flags this as a high risk finding is 63155. From the report:
Synopsis: The remote Windows host has at least one service installed that uses
an unquoted service path.
Description
The remote Windows host has at least one service installed that uses
an unquoted service path, which contains at least one whitespace. A
local attacker could gain elevated privileges by inserting an
executable file in the path of the affected service.
Note that this is a generic test that will flag any application
affected by the described vulnerability.
Solution
Ensure that any services that contain a space in the path enclose the
path in quotes.
See Also
http://isc.sans.edu/diary.html?storyid=14464
http://cwe.mitre.org/data/definitions/428.html
http://www.commonexploits.com/?p=658
http://www.nessus.org/u?4aa6acbc
Risk Factor: High
CVSS Base Score
7.2 (CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
6.5 (CVSS2#E:POC/RL:U/RC:ND)
Plugin Output
Nessus found the following service with an untrusted path:
OssecSvc : C:\Program Files (x86)\ossec-agent\ossec-agent.exe
CVE
CVE-2013-1609
CVE-2014-0759
BID
58591
58617
65873
Xref
OSVDB:91492
OSVDB:91582
OSVDB:102505
ICSA:14-058-01
Vulnerability Publication Date: 2012/09/15
Plugin Publication Date: 2012/12/05
Plugin Last Modification Date: 2014/03/19
Public Exploit Available: True
Exploitable With: Metasploit (Windows Service Trusted Path Privilege Escalation)
from ossec-hids.
Related Issues (20)
- syscheck HOT 1
- incorect layout for debian bookworm and bullseye repos HOT 3
- ERROR: SSL read (unable to receive message) OSSEC HOT 1
- sslv3 alert handshake failure
- Missing repo data for Ubuntu Jammy HOT 1
- /var/ossec/etc/ossec.conf and Ansible community.general.xml
- [HELP]
- Problem with decoders HOT 1
- ossec-analysisd leaks memory.
- Journald read in 1001 seconds bursts HOT 8
- Link doesn't exists
- Missing security policy. Cannot report security bugs and vulnerabilities. HOT 5
- Support for ossec in AmazonLinux2023 HOT 2
- 3.7 don;t have new files alerts HOT 2
- [Request] Provide binaries for arm64 Debian Bookworm/Trixie/Sid HOT 4
- Building from source on a staging server. How to transfer the build package to a production server? HOT 1
- Monitoring logs of journald not working
- ossec installation error HOT 1
- INSTALLATION OF OSSEC ERROR MAKEFILE:1017 HOT 3
- Wazuh agent not being initialized on RHEL and centos agents with the following error.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ossec-hids.