A Critical Remote Code Execution (RCE) vulnerability has been discovered in Metabase which could allow hackers to infiltrate servers and execute unauthorized commands. The developers of Metabase have released patches to address this vulnerability.
Metabase is an open-source business intelligence that can be used for creating charts and dashboards with a variety of databases and sources.
The project has over 33,000 stars on GitHub, which has recently patched several vulnerabilities.
Metabase Critical Flaw
A pre-auth RCE on these instances would open a kingdom of information for a threat actor.
For achieving pre-auth RCE, the researchers initially started a vulnerable Metabase instance with the below command, which starts the instance on port 3000.
In addition, the exploit does not require any special configurations on the Metabase.
docker run -d -p 3000:3000 –name metabase metabase/metabase:v0.46.6
When setting up the Metabase initially, a setup token is provided to the users, which allows users to complete the setup process. The setup token was configured to be used only once and erased after use.
However, reports indicate that some Metabase instances still had the setup token accessible to unauthenticated users by the following methods,
- HTML source of index/login page has the setup-token in a JSON object
- /api/sessions/properties endpoint also exposed the setup-token, which was accessible without authentication.
There were several instances where the Metabase did not wipe the setup-token value.
Other instances had the “setup-token”:null. This was due to the fact that there was a codebase commit change in Jan 2022 which had the “setup/clear-token!” Value set.
This means that there was another change in the metabase critical flow that led to the setup token prevailing on the vulnerable instances.
Furthermore, Metabase prompts users to connect to a data source in which the /api/setup/validate endpoint was found. This endpoint takes the JDBC URI value as part of the POST request.
An SQL injection was found in the H2 db driver, which has the INIT parameter. H2 db driver uses an INIT parameter which is an SQL query for the initiation of the database connection.
Metabase provides a sample database that is available in a JAR file which can be used for chaining the attack without corrupting the database.
Combining all these puzzles creates a reverse shell that can be used to extract several sensitive pieces of information from the data sources of the Metabase instances.
As per the security advisory of Metabase, the following versions were released.
- v0.45.4.1 and v18.104.22.168
- v0.44.7.1 and v22.214.171.124
- v0.43.7.2 and v126.96.36.199
Users of Metabase are recommended to upgrade to the latest version of Metabase to fix this vulnerability.