CVE-2020-8657
published 2020-02-06CVE-2020-8657: An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
91.87%
99.8th percentile
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eyesofnetwork | eyesofnetwork | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →API key token is derived from sha256(md5(hardcoded_key + userid) + Host), where the hardcoded key is '€On@piK3Y' and userid is '1' for admin. Detect requests to /eonapi/createEonUser with a computed apiKey query parameter for username=admin. ↗
- →Detect HTTP GET requests to /eonapi/getApiKey containing UNION/SELECT SQL injection patterns in the username parameter, indicating exploitation of the related SQLi bypass (CVE-2020-8656) used in conjunction with this CVE. ↗
- →Command injection payload is injected into the 'target[]' POST parameter of /lilac/autodiscovery.php, prefixed with a semicolon (e.g., ';cmd #'). Monitor for semicolons or shell metacharacters in this parameter. ↗
- →Exploitation chain writes an NSE script to disk and invokes 'sudo /usr/bin/nmap' for privilege escalation. Monitor for nmap execution by the apache user with --script pointing to unusual paths. ↗
- →Successful exploitation of the hardcoded API key results in a JSON response containing 'A new user have been successfully inserted'. Alert on this string in HTTP responses from the EON server. ↗
- →Fingerprint EyesOfNetwork instances exposed to the internet using Shodan query 'html:"EyesOfNetwork"' or FOFA query 'title="EyesOfNetwork"' to identify attack surface. ↗
- ·The hardcoded API key 'EONAPI_KEY' is specific to API version 2.4.2 and EyesOfNetwork 5.3. Earlier versions (5.1, 5.2) do not have this hardcoded key and must be attacked via SQL injection only. ↗
- ·The Metasploit module requires HTTPS (SSL) to function; HTTP will not work against the target. ↗
- ·If the generated API key fails (e.g., key has been changed), the module falls back to SQL injection (CVE-2020-8656) to retrieve the actual API key from the database. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3w5r-gmmj-prc2: An issue was discovered in EyesOfNetwork 5
ghsa_unreviewed·2022-05-24
CVE-2020-8657 [MEDIUM] CWE-522 GHSA-3w5r-gmmj-prc2: An issue was discovered in EyesOfNetwork 5
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
VulnCheck
EyesOfNetwork Use of Hard-Coded Credentials Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-8657 [CRITICAL] CWE-798 EyesOfNetwork Use of Hard-Coded Credentials Vulnerability
EyesOfNetwork Use of Hard-Coded Credentials Vulnerability
EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. Exploitation allows an attacker to calculate or guess the admin access token.
Affected: EyesOfNetwork EyesOfNetwork
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://app.crowdsec.net/cti/cve-explorer/CVE-2020-8657
Remediation Due: 2022-05-03
CISA
EyesOfNetwork Use of Hard-Coded Credentials Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-8657 [CRITICAL] CWE-798 EyesOfNetwork Use of Hard-Coded Credentials Vulnerability
Vulnerability: EyesOfNetwork Use of Hard-Coded Credentials Vulnerability
Affected: EyesOfNetwork EyesOfNetwork
EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. Exploitation allows an attacker to calculate or guess the admin access token.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-8657
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)
suricata·2021-11-01·CVSS 9.8
CVE-2020-8657 [CRITICAL] ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)
ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exp
Exploit-DB
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
exploitdb·2020-03-05
CVE-2020-8657 EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'EyesOfNetwork AutoDiscovery Target Command Execution',
'Description' => %q{
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.3
and prior in order to execute arbitrary commands as root.
This module takes advantage of a command injection vulnerability in the
`target` parameter of the AutoDiscovery functionality within the EON web
interface in order to write an Nmap NSE script containing the payload to
disk. It then starts an Nmap scan to activate the payload. This results in
privilege escalation because the`apache` user can execute Nm
Nuclei
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-8654 [HIGH] EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. See also CVE-2020-8655, CVE-2020-8656, CVE-2020-8657, and CVE-2020-9465.
Template:
id: CVE-2020-8654
info:
name: EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
author: praetorian-thendrickson
severity: high
description: EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context
Nuclei
EyesOfNetwork - Hardcoded API Key
nuclei·CVSS 9.8
CVE-2020-8657 [CRITICAL] EyesOfNetwork - Hardcoded API Key
EyesOfNetwork - Hardcoded API Key
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
Template:
id: CVE-2020-8657
info:
name: EyesOfNetwork - Hardcoded API Key
author: daffainfo
severity: critical
description: |
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
impact: |
Successful exploitation allows an attacker to create administrative users and gain unauthorize
Metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.1, 5.2 and 5.3 in order to execute arbitrary commands as root. This module takes advantage of a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality within the EON web interface in order to write an Nmap NSE script containing the payload to disk. It then starts an Nmap scan to activate the payload. This results in privilege escalation because the`apache` user can execute Nmap as root. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via various methods, depending on the EON version. EON 5.3 is vulnerable to a hardcoded API key and two SQL injectio
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlhttps://github.com/EyesOfNetworkCommunity/eonapi/issues/17http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.htmlhttps://github.com/EyesOfNetworkCommunity/eonapi/issues/17https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8657
2020-02-06
Published
2021-11-03
Added to CISA KEV
Exploited in the wild