module
Apache Superset Signed Cookie RCE
| Disclosed | Created |
|---|---|
| 09/06/2023 | 10/13/2023 |
Disclosed
09/06/2023
Created
10/13/2023
Description
Apache Superset versions These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that
of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the
Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be
set for that dashboard within Superset's database which will trigger the RCE.
An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.
of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the
Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be
set for that dashboard within Superset's database which will trigger the RCE.
An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.
Authors
h00dieparadoxisSpencer McIntyreNaveen Sunkavally
Platform
Python
Architectures
python
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/http/apache_superset_cookie_sig_rce
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.