Metabase One Click Rce

Intro.

In this post we would be exploring a chain of two CVE’s CVE-2022-39362 & CVE-2022-39361 affecting MetaBase .

CVE-2022-39362

This bug is a Cross Site Request Forgery (CSRF), this issue arose from the /question endpoint. The impact allowed an attacker arbitrary SQL queries on the target application, all an attacker needed was for a logged in user to click a link.

Metabase fixed this issue, by no longer automatically executing ad-hoc native queries

CVE-2022-39361

This was a code injection bug, this issue arose from the CREATE TRIGGER H2 database query. Metabase utilizes the H2 DB, if an attacker can run SQL queries via the apps SQL console, the attacker can arbitrary code execution on the target application.

The below SQL query was enough to gain RCE.

CREATE TRIGGER TRIG_JS_trig_random_id BEFORE SELECT ON INFORMATION_SCHEMA.Users  AS '//javascript
var foxxs = java.lang.Runtime.getRuntime().exec("rce_command");';

SELECT * FROM INFORMATION_SCHEMA.Users ;

Metabase fixed this issue, no longer allowing DDL statements in H2 native queries.

Forming a chain.

If we combine both exploits, we now have a one click RCE, all we have to do would be to convince an admin to click a link.

Thanks for Reading!