module

Metabase Setup Token RCE

Disclosed
07/22/2023
Created
08/09/2023

Description

Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token
is accessible even after the setup process has been completed. With this token
a user is able to submit the setup functionality to create a new database.
When creating a new database, an H2 database string is created with a TRIGGER
that allows for code execution. We use a sample database for our connection
string to prevent corrupting real databases.

Successfully tested against Metabase 0.46.6, 0.44.4, 0.42.1.

Authors

h00dieMaxwell GarrettShubham Shah

Platform

Unix

Architectures

cmd

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

    msf > use exploit/linux/http/metabase_setup_token_rce
    msf /(e) > show actions
        ...actions...
    msf /(e) > set ACTION < action-name >
    msf /(e) > show options
        ...show and set options...
    msf /(e) > run
  
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.