Improper Access Control to Remote Code Execution (CVE-2020-8591)
In this post. I will explain how I hacked a whole system by exploiting improper access control vulnerability in the popular java-based MaaS software "eG Manager" and how I can escalated it to execute code remotely.
The Improper Access Control weakness describes a case where software fails to restrict access to an object properly. A malicious user can compromise security of the software and perform certain unauthorized actions by gaining elevated privileges, reading otherwise restricted information, executing commands, bypassing implemented security mechanisms, etc.
"eG Manager" had direct admin panel access feature and then it was missing session management control, e.g. if users may not want to login via the login interface provided by eG Enterprise. For instance, they can use access key to directly connect to the eG management console from the portal. "eG Manager" used predefined access key for authentication. An attacker can exploit this feature by using single access key. Since, "eG Manager" is used for internal network monitoring process, I could accessed their internal network via remote code execution.
Exploiting Improper access control to Remote Code Execution
I've read eG Manager's documentation and found some interesting. If a user is already logged into a web portal, he/she may not want to login again to gain access to the eG Manager dashboard; instead, they may want to directly connect to the eG management console, they can use access key.
eG Manager Login Page
I thought, Can I access their admin panel without entering any password, even I have never logged before? We can be easily found access key in their documentation. So I tried to access admin panel bu using access key.
eG Manager Admin Dashboard
I have successfully logged into their admin panel because the eG Enterprise system will automatically pick the password that corresponds to the specified username from the database. There was command execution function in Admin> Settings> Manager.
Command Execution Option
If the option was enabled. Any commands can be executed in Admin> Agents> Agent Status> Remote Control.
Executed Command Result
As you can see, this vulnerability allows me to control any companies' internal network which are using eG Manager.
2020/01/30 Vulnerability reported to eG Innovations, Inc.
2020/01/30 Vendor addressed issue in < 7.1.2
2020/01/31 Vendor fixed and notify their customers.
In this post I analyzed improper access control vulnerability in "eG Manager v7.1.2" which can be triggered through a single access key. I found that it is possible to leverage the issue into Remote Code Execution if the "eG Manager" instance relies on the command execution function. I would like to thank the "eG Innovations, Inc" security team for the professional communication and for the very fast resolution of the issue.