Kibana Timelion Prototype Pollution RCE
Description
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This leads to an arbitrary command execution with permissions of the Kibana process on the host system. Exploitation will require a service or system reboot to restore normal operation. The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a docker image caused 6 shells. Tested against kibana 6.5.4.
Author(s)
- h00die
- Michał Bentkowski
- Gaetan Ferry
Platform
Unix
Architectures
cmd
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/kibana_timelion_prototype_pollution_rce
msf exploit(kibana_timelion_prototype_pollution_rce) > show targets
...targets...
msf exploit(kibana_timelion_prototype_pollution_rce) > set TARGET < target-id >
msf exploit(kibana_timelion_prototype_pollution_rce) > show options
...show and set options...
msf exploit(kibana_timelion_prototype_pollution_rce) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security