OSSEC Privilege Escalation via Directory Traversal


OSSEC Hids can allow an attacker escalate privileges via the method described in this post. I recently came across this issue which could present a concern in some environments. This issue is known as CVE-2018-19666.

Access Required

There is some access required, as this is privilege escalation.
  • Full access to the OSSEC server.
  • Low privilege access to a system with OSSEC hids agent installed.

The Vulnerability

OSSEC has a feature called ActiveResponse that allows OSSEC admins to execute scripts to respond to security incidents. The documentation says the script has to be in a specified directory, specifically it says this:

The [response script] must be inside the /var/ossec/active-response/bin/ [on the system with ossec hids] with the execution permissions set.

This Active Response feature can run scripts remotely on the client system if the script is in the active-response/bin directory either on windows or linux. When a specially crafted configuration is used, an attacker can escape this directory to run malware with elevated privileges that was implanted by a low privilege user.


This issue does not present an immediate security threat because of the access required, and exploitation is somewhat dependent on the environment & access methods.

However, here's a situation where this would have an impact. Let's say the Domain Admins only grant Security/OSSEC Admins a low privilege login to review logs on a Windows/Linux system. In this scenario, this issue can be exploited escalate privileges to NT\Authority or root on that system.

POC Environment

OSSEC HIDS are sometimes deployed from AlienVault USM Appliance or OSSIM because it's configured well out of the box, that's what I have configured here. The victim can be either Windows or Linux, as the technique works on both. Here's a diagram of the POC network.



This will show the exploitation of a Linux system and escalation to root, however the steps are the exact same for windows minus the directory paths and payloads. The victim is, the attacker system is, and the low priv user on the victim system is called lowpriv. Metasploit is used in this POC, but is not required.

1. Generate and implant malware via low privilege access on the victim system. The malware has to be in a location where the low privilege user and root can access it, /tmp works well for this.

2. Setup your connection handler.

3. Insert malicious ossec.conf config on the OSSEC server.

4. After restarting the ossec service, trigger the exploit.

5. R00T ✌

Popular posts from this blog

SuperMicro IPMI Exploitation

Path to OSCP