CVE-2020-9465
published 2020-02-28CVE-2020-9465: An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.24%
99.6th percentile
An issue was discovered in EyesOfNetwork eonweb 5.1 through 5.3 before 5.3-3. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the user_id field in a cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eyesofnetwork | eyesofnetwork | >= 5.1 < 5.3-3 | 5.3-3 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)"; flow:established,to_server; http.uri; content:"/login.php"; endswith; fast_pattern; http.cookie; content:"user_id="; nocase; startswith; pcre:"/^[^\r\n=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-9465; classtype:attempted-admin; sid:2034309; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_9465, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →SQL injection payload in the `user_id` cookie field targets /login.php; look for UNION/SELECT keywords in the cookie value via regex /^[^\r\n=]*(?:union|select)/Ri ↗
- →Exploit traffic is directed to /login.php with a malformed user_id cookie; the ET rule (sid:2034309) fires on established HTTP flows to_server matching both URI and cookie patterns simultaneously ↗
- →Version fingerprinting: fetch /css/eonweb.css and extract the '# VERSION :' comment line; versions 5.1–5.3 (before 5.3-3) are vulnerable ↗
- →EON 5.3 also exposes a hardcoded API key as an alternative authentication bypass path; EON 5.1/5.2 rely solely on SQL injection for auth bypass ↗
- ·The Snort/Suricata rule targets $HOME_NET and $HTTP_SERVERS; ensure these variables are correctly scoped to cover internal EON appliances, otherwise the rule will not fire on internal-only deployments ↗
- ·The vulnerability affects eonweb 5.1 through 5.3 *before* 5.3-3 only; version 5.3-3 and later are patched and should not be flagged ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)
suricata·2021-11-01·CVSS 9.8
CVE-2020-9465 [CRITICAL] ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)
ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)"; flow:established,to_server; http.uri; content:"/login.php"; endswith; fast_pattern; http.cookie; content:"user_id="; nocase; startswith; pcre:"/^[^\r\n=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-9465; classtype:attempted-admin; sid:2034309; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_9465, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Applicat
Nuclei
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-8654 [HIGH] EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. See also CVE-2020-8655, CVE-2020-8656, CVE-2020-8657, and CVE-2020-9465.
Template:
id: CVE-2020-8654
info:
name: EyesOfNetwork 5.1-5.3 - SQL Injection/Remote Code Execution
author: praetorian-thendrickson
severity: high
description: EyesOfNetwork 5.1 to 5.3 contains SQL injection and remote code execution vulnerabilities. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context
Metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
metasploit
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
This module exploits multiple vulnerabilities in EyesOfNetwork version 5.1, 5.2 and 5.3 in order to execute arbitrary commands as root. This module takes advantage of a command injection vulnerability in the `target` parameter of the AutoDiscovery functionality within the EON web interface in order to write an Nmap NSE script containing the payload to disk. It then starts an Nmap scan to activate the payload. This results in privilege escalation because the`apache` user can execute Nmap as root. Valid credentials for a user with administrative privileges are required. However, this module can bypass authentication via various methods, depending on the EON version. EON 5.3 is vulnerable to a hardcoded API key and two SQL injectio
No writeups or analysis indexed.
2020-02-28
Published