cbcvebase.
CVE-2020-8657
published 2020-02-06

CVE-2020-8657: An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
91.87%
99.8th percentile
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.

Affected

1 ranges
VendorProductVersion rangeFixed in
eyesofnetworkeyesofnetwork

Detection & IOCsextracted from sources · hover to see the quote

other€On@piK3Y
url/eonapi/getApiKey
url/eonapi/createEonUser
url/lilac/autodiscovery.php
pathinclude/api_functions.php
port443
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • API key token is derived from sha256(md5(hardcoded_key + userid) + Host), where the hardcoded key is '€On@piK3Y' and userid is '1' for admin. Detect requests to /eonapi/createEonUser with a computed apiKey query parameter for username=admin.
  • Detect HTTP GET requests to /eonapi/getApiKey containing UNION/SELECT SQL injection patterns in the username parameter, indicating exploitation of the related SQLi bypass (CVE-2020-8656) used in conjunction with this CVE.
  • Command injection payload is injected into the 'target[]' POST parameter of /lilac/autodiscovery.php, prefixed with a semicolon (e.g., ';cmd #'). Monitor for semicolons or shell metacharacters in this parameter.
  • Exploitation chain writes an NSE script to disk and invokes 'sudo /usr/bin/nmap' for privilege escalation. Monitor for nmap execution by the apache user with --script pointing to unusual paths.
  • Successful exploitation of the hardcoded API key results in a JSON response containing 'A new user have been successfully inserted'. Alert on this string in HTTP responses from the EON server.
  • Fingerprint EyesOfNetwork instances exposed to the internet using Shodan query 'html:"EyesOfNetwork"' or FOFA query 'title="EyesOfNetwork"' to identify attack surface.
  • ·The hardcoded API key 'EONAPI_KEY' is specific to API version 2.4.2 and EyesOfNetwork 5.3. Earlier versions (5.1, 5.2) do not have this hardcoded key and must be attacked via SQL injection only.
  • ·The Metasploit module requires HTTPS (SSL) to function; HTTP will not work against the target.
  • ·If the generated API key fails (e.g., key has been changed), the module falls back to SQL injection (CVE-2020-8656) to retrieve the actual API key from the database.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.