CVE-2018-17246 – Kibana Local File Inclusion

Logstash is an open source tool for collecting, parsing, and storing logs for future use. Kibana is a web interface that can be used to search and view the logs that Logstash has indexed. Both of these tools are based on Elasticsearch. Elasticsearch, Logstash, and Kibana, when used together is known as an ELK stack.

Vulnerability:

Affected URL:  http://<IP>:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../<js file>

Affected Parameter: apis

The bug lies in the URI parameter ‘apis’ which allows including any javascript file locally available on the server. The application uses Nodejs. So if we could upload any malicious server side js code to server, we could include that js code and achieve code execution. A tip to exploit this bug in pentests would be to find other vectors like a vulnerable NFS or file upload function to upload our malicious javascript code.

In the following example, I have uploaded a malicious reverse shell javascript code. This will connect to 172.17.0.1 on port 8000 and spawn /bin/sh

Lets include this rshell.js file using the LFI in Kibana

http://172.17.0.2:5601/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../home/elasticsearch/elasticsearch/rshell.js

Selection_188.jpg

After including our rshell.js file, we receive a reverse shell

We can also include a webshell instead which might help when we face firewall restrictions. In case we upload a webshell, here is how we can access the webshell and execute commands

js reverse shell and js webshell can be found at the following link:
https://github.com/buffered4ever/Exploits/tree/master/cve-2018-17246

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: