Showing posts from December, 2018

OSSEC Privilege Escalation via Directory Traversal

Overview OSSEC Hids can allow an attacker escalate privileges via the method described in this post. I recently came across this issue which could present a concern in some environments. This issue is known as CVE-2018-19666 . Access Required There is some access required, as this is privilege escalation. Full access to the OSSEC server. Low privilege access to a system with OSSEC hids agent installed. The Vulnerability OSSEC has a feature called ActiveResponse  that allows OSSEC admins to execute scripts to respond to security incidents. The documentation says the script has to be in a specified directory, specifically it says this: The [response script] must be inside the /var/ossec/active-response/bin/ [on the system with ossec hids] with the execution permissions set. This Active Response feature can run scripts remotely on the client system if the script is in the active-response/bin directory either on windows or linux. When a specially crafted configu