Skip to main content

Posts

eG Manager v7.1.2:Improper Access Control lead to Remote Code Execution (CVE-2020-8591)

Improper Access Control to Remote Code Execution (CVE-2020-8591) I will show how I hacked a whole system by exploiting improper access control vulnerability in the popular java-based MaaS software "eG Manager" and how I can escalated it to execute code remotely. Impact The Improper Access Control weakness describes a case where software fails to restrict access to an object properly. A malicious user can compromise security of the software and perform certain unauthorized actions by gaining elevated privileges, reading otherwise restricted information, executing commands, bypassing implemented security mechanisms, etc.  Technical Analysis "eG Manager" has direct admin panel access feature and then it was missing session management control, e.g. if users may not want to login via the login interface provided by eG Enterprise. For instance, they can use access key to directly connect to the eG management console from the portal. "eG Manager" use
Recent posts

eG Manager v7.1.2: SQL Injection lead to Remote Code Execution (CVE-2020-8592)

SQL Injection lead to Remote Code Execution (CVE-2020-8592) In this blog post I will show how to exploit a SQL injection vulnerability in the popular java-based MaaS software "eG Manager" and how I can escalated it to execute code remotely. Impact The SQL injection vulnerability can be exploited as an unauthenticated attacker via forgot password function. An attacker is able to execute stacked SQL queries which means it is possible to manipulate arbitrary database entries and even execute shell commands. Technical Analysis eG Manager has a forgot password feature and then there was missing input validation function, e.g. If the Username specified is valid, then the password will be emailed to the user with the given Username. If not so, server shows 'username does not exist'. An attacker can exploit this feature by injecting stacked queries SQL syntax. Exploiting SQL Injection to Remote Code Execution In "Forgot Password" area, there is an inp