module
Kibana Timelion Prototype Pollution RCE
| Disclosed | Created |
|---|---|
| 2019-10-30 | 2023-09-08 |
Disclosed
2019-10-30
Created
2023-09-08
Description
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.
An attacker with access to the Timelion application could send a request that will attempt to execute
javascript code. This leads to an arbitrary command execution with permissions of the
Kibana process on the host system.
Exploitation will require a service or system reboot to restore normal operation.
The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells
(50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a
docker image caused 6 shells.
Tested against kibana 6.5.4.
An attacker with access to the Timelion application could send a request that will attempt to execute
javascript code. This leads to an arbitrary command execution with permissions of the
Kibana process on the host system.
Exploitation will require a service or system reboot to restore normal operation.
The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells
(50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a
docker image caused 6 shells.
Tested against kibana 6.5.4.
Authors
h00die
Michał Bentkowski
Gaetan Ferry
Michał Bentkowski
Gaetan Ferry
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.