CSV Injection in Kibana 6.6.1 Upto Latest version 7.5.2

By -
Dear reader,
Few days before I was testing Kibana in my organization which is using kibana version 6.6.1, while testing I was able to find a csv injection in dashboard tab, there was No CVE or any other information about this specific vulnerability, So I have reported this issue to Kibana which will be fixed soon as a security hardening feature.

Let's start with the POC of this vulnerability. 

Below are the steps to reproduce.

1.     Large number of the Kibana portal on internet is open and has no authentication and can be exploited by this injection.
2.     Click on Dashboard tab and select any dashboard from the list. I would suggest to select the dashboard which has gauge visualization type as shown in below screenshot.
3.     Once you are on dashboard click on Edit button on top right.


 

4.     Click gear(options) button of any graphical view box.


5.     It will open a options box click on edit visualization
6.     It will open the edit page click on any blue play button in front of any metric.
7.     Here you can edit the metric information; we will be exploiting the custom Label.
8.     In custom Label field enter your csv injection payload e.g. @SUM(1+1)*cmd|' /c calc'!A0.
9.     All is done now click on Top blue play button and click on SAVE button open top right.


10.  You are back to dashboard graphical view click on 3dots button on top of the graphical box which you edit and click on INSPECT.


11.  It will open the export panel click on download csv and click formatted csv.


12.  If you open the downloaded csv, it will open the calculator.




This vulnerability can lead to compromise user/admin system by injecting a malicious code inside the csv file.

This issue was reported to Kibana team, but they don't consider it a security flaw. Below is their reply.

This article is published after their approval to disclose.






Comments

Post a Comment

Popular posts from this blog

GRANDING UTime Master - IDOR (CVE-2023-45393)

By -
Image
  Hi All, I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ).  CVE ID: CVE-2023-45393 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees. Login to UTime Master using any account. Capture the request in burpsuite with the valid cookies. modify the URL to "/base/adminlog/table/?page=1&limit=200" Forward the request and it will fetch all the admin logs. IDOR has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.
Read more

GRANDING UTime Master - Stored XSS (CVE-2023-45391)

By -
Image
  Hi All, I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ). CVE ID: CVE-2023-45391 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Login to UTime Master using admin account Click on Personnel > Employee Management >Employee Select Any employee or create a new employee In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)> XSS payload embedded in EMP NAME field. Save the employee details, Once the page refreshed it will execute your payload. our payload executed successfully. I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc. XSS has been fixed in la
Read more

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef
Read more