Posts

Showing posts from 2018

OSSEC Privilege Escalation via Directory Traversal

Image
Overview OSSEC Hids can allow an attacker escalate privileges via the method described in this post. I recently came across this issue which could present a concern in some environments. This issue is known as CVE-2018-19666.
Access Required There is some access required, as this is privilege escalation. Full access to the OSSEC server.Low privilege access to a system with OSSEC hids agent installed. The Vulnerability OSSEC has a feature called ActiveResponse that allows OSSEC admins to execute scripts to respond to security incidents. The documentation says the script has to be in a specified directory, specifically it says this:

The [response script] must be inside the /var/ossec/active-response/bin/ [on the system with ossec hids] with the execution permissions set.

This Active Response feature can run scripts remotely on the client system if the script is in the active-response/bin directory either on windows or linux. When a specially crafted configuration is used, an attacker …