ElasticSearchGroovy script Remote Code Execution Vulnerability emergency Summary

ElasticSearchGroovy script Remote Code Execution Vulnerability emergency Summary
I. Vulnerability description

ElasticSearch is a JAVA-developed search and analysis engine. 2014, once exposed a Remote Code Execution Vulnerability (CVE-2014-3120), the vulnerability appeared in the script query module, because the search engine supports the use of script code (MVEL), as a expression for data operations, attackers can execute arbitrary Java code through MVEL construction. Later, the script language engine is replaced with Groovy and added to the sandbox for control. Dangerous code will be intercepted, as a result, this time the sandbox restriction is not strict, resulting in remote code execution.

Ii. Vulnerability impact

Affected Versions:

1.4: 1.4.2, 1.4.1, 1.4.0, 1.4.0.Beta1

1.3: 1.3.7, 1.3.6, 1.3.5, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0.

Iii. Vulnerability Analysis

The class that generates the vulnerability code in the sandbox is com. elasticsearch. script. groovy. groovySandboxExpression-Checker, which customizes the Groovy sandbox and performs security detection on the expression. However, this sandbox is different from the Java SecurityManager sandbox, from the code, we can see that this sandbox is a "Shallow" sandbox, which is used to judge whether the expression is legal in terms of expression semantics based on the blacklist and whitelist.

The specific code process is as follows:

The whitelist can be called as follows:

From the preceding whitelist, we can see that classes that allow the construction of objects and method calls are common classes and there is no class we can use, if we want to use reflection to call the Class we want to call, and the method blacklist limits the call of getClass, we cannot get the Class object through the getClass method, however, we can see that the forName method is not restricted in the method whitelist, that is, if we can obtain the Class object, call the forName method to obtain the class we want to access.

Iv. Vulnerability Verification

You can use the following command to detect ElasticSearch vulnerabilities.

Run in Bash

Curl-XPOST "target address: 9200/_ search"-d {"size": 1, "script_fields": {"knownsec": {"script": "p = Math. class. forName (\ "java. lang. runtime \ "cmd.getruntime(cmd.exe c (\" the command you want to execute \"). getText () "," lang ":" groovy "}}}

 

V. ZoomEye emergency Summary

Remote Code Execution of ElasticSearch Groovy scripts is a serious vulnerability. Hackers can directly control the servers with this vulnerability.

ZoomEye Team (zhongkui eye network space probe system), which knows chuangyu, has combined several methods to detect the impact.

Note: The following effects can be directly remote attacks, which are at high risk!

Group 1 data: 2015/03/04

Based on the 53469 port 9200 IP addresses in the ZoomEye library, this vulnerability is detected. The number of hosts that can be remotely accessed by this vulnerability is 3852, among them, 245 ElasticSearch servers accessible from the Internet are affected.

Group 2 data: 2015/03/05

We have also detected the ElasticSearch Remote Arbitrary Code Execution Vulnerability (CVE-2014-3120) and the outbreak of the Vulnerability (CVE-2015-1427) vulnerability.

583 hosts affected by CVE-2014-3120

3843 hosts affected by CVE-2015-1427

Vi. Repair suggestions

Method 1: upgrade to the latest official version.

Method 2: Add the following content to the/config/ElasticSearch. yml file:

Script. groovy. sandbox. enabled: false