If you are planning to learn a data visualization tool, then Kibana is suitable for you. It is the popular visualization and analytics platform that is designed for providing better and faster insights into the data from elastic search indices. Whatever the tool we are using in our business, it must be updated when needed; if not, that may land us in trouble.
To learn Kibana and expertise in Kibana you must try Kibana training. In this post, we are going to share some information about how the File Inclusion Bug in Kibana Console for Elasticsearch gets Exploit Code. Before we know about it, let us understand some basic details about Kibana, Elasticsearch, and the file inclusion Bug.
Kibana
Kibana is a data visualization and exploration tool. It is also known as a browser-based visualization tool that analyses huge volumes of data in elastic search indices. It offers easy-to-use and the most powerful features like line graphs, heat maps, histograms, pie charts, etc., for data visualization. It is used for time series and log analytics, operational intelligence, and application monitoring use cases. Kibana acts as the UI (User Interface) for securing, managing and monitoring an elastic stack cluster and centralized hub for built-in solutions that are developed on Elastic stack. Using Kibana, you can visualize the data in a fast and efficient manner.
Elastic Search
Elastic search is a free, open-source, distributed, and analytics engine for all types of data like numerical, textual, structures, unstructured and geospatial. It enables us to store, analyze and search a large volume of data and gives back the result within seconds. It directly searches for indexes instead of searching for text. Elastic search is extensible through plugins and is highly customizable. Kibana allows visual analysis of data from elastic search indices. Kibana’s interface allows the users to query data in elastic search indices and the result is visualized through Lens, maps, and Canvas.
File Inclusion Bug
File inclusion is a type of bug by which an attacker tricks the web application into running or exposing files that are on the server. File inclusion vulnerability is commonly found that affects the web applications, which depends on scripting runtime. It occurs mainly because of the bad input validation mechanism. For example, it occurs when a user input that includes some commands is passed to the file without validating it properly. Vulnerability can reveal sensitive data present in files, etc., or leads to malicious code execution on the server.
How File Inclusion Bug in Kibana Console for Elasticsearch gets Exploit Code, and what are the recommended actions to be done?
The console plugin offers an easy way for interacting with the Elastic search REST API. It provides direct access to data stored, eliminating the need of using a terminal. An attacker can load Kibana and run the files from the local disk. When an attacker publishes the exploit code for local file inclusion, it will affect Kibana -the data visualization tool for elastic search’s console plugin. Then the attacker can upload a harmful script and get the remote code executed. Proof of concept is a one-line code that has a destination path in the password directory.
If run, the credentials will be dumped in the Kibana log. A local file inclusion security bug could be used along with the files on the server. Some applications are open to attacks, and opponents may be in a position to exploit them for creating a reverse shell. To exploit LFI, an easy way is combining it with a bug that allows arbitrary file upload. Using a simple exploit code, the attacker can even request the URL of Kibana and can Crash Kibana.
In a running system, including external file libraries is a very common operation. If an attacker is able to load Kibana and run files from a local disk, it is uncommon. It is very dangerous if an attacker can upload a file from the local disk and tell Kibana to load or run it. An attacker who has Kibana console API access can send a request which will attempt the execution of Javascript code. This will lead to an attacker’s permission of the Kibana process reading vulnerability summary on the host system. The best way to deal with this issue is to apply security updates timely.
That is, upgrading the Elastic Stack to the latest versions is the recommended action. Otherwise, the Kibana console plugin can be disabled by the user to prevent the code path in the question from being executed till you upgrade it. It could be done by setting’ console. enabled: false’ from the configuration file.
Conclusion:
In this post, we have shared all the necessary information about how the File Inclusion Bug in Kibana Console for Elasticsearch gets Exploit Code, and the recommended actions for this is always updating your elastic stack to the latest version. This will prevent the attackers from loading Kibana and running it from their local remote drives and makes our data secure. Hope you found this information useful.