Logstash is an open source tool for collecting, parsing, and storing logs for future use. Kibana is a web interface that can be used to search and view the logs that Logstash has indexed. Both of these tools are based on Elasticsearch. Elasticsearch, Logstash, and Kibana, when used together is known as an ELK stack.
Vulnerability:
Affected URL: http://<IP>:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../<js file>
Affected Parameter: apis
The bug lies in the URI parameter ‘apis’ which allows including any javascript file locally available on the server. The application uses Nodejs. So if we could upload any malicious server side js code to server, we could include that js code and achieve code execution. A tip to exploit this bug in pentests would be to find other vectors like a vulnerable NFS or file upload function to upload our malicious javascript code.
In the following example, I have uploaded a malicious reverse shell javascript code. This will connect to 172.17.0.1 on port 8000 and spawn /bin/sh
Lets include this rshell.js file using the LFI in Kibana
After including our rshell.js file, we receive a reverse shell
We can also include a webshell instead which might help when we face firewall restrictions. In case we upload a webshell, here is how we can access the webshell and execute commands
js reverse shell and js webshell can be found at the following link:
https://github.com/buffered4ever/Exploits/tree/master/cve-2018-17246
The Security Buff 
Leave a comment