Remember once hijacked hang horse experience-Elasticsearch remote execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201451915
Type myhack58
Reporter 佚名
Modified 2014-07-30T00:00:00


Cause: the

The company uses Ucloud cloud hosting services, today morning suddenly told that there is a server of the outlet flow surge in foreign contract amount within a short time reached 1 0 0 million, and all the UDP type, the first feeling was: Gee, could there be dark, is when the broiler!


Immediately login to the corresponding server, the first to use up to view traffic conditions

! wKiom1PXewmxnBlAAAIc3Cx_xKI222.jpg! wKioL1PXfFTz7OPKAAJYayVxA5Q867.jpg

As can be seen the outlet flow of a good scare, 1 minute accumulated within 700M of traffic, check out what these 2 IP addresses, one is in the United States, one is in Zhejiang telecommunications;

Quickly view the running processes, find out suspected processes, but also really have found that:

! wKioL1PXffLTYiecAAFKNFx1Tg0944.jpg

[. ECC6DFE919A382]this process also want to impersonate system process, doubt is great, but the/tmp/freeBSD is also a very strange thing, and the 4 9 8 the UID of the corresponding user is elasticsearch, and remember yesterday deployed Elasticsearch + Logstash, in order to achieve a log statistics system, will not be ES there is a bug right, continue to view the reason

! wKiom1PXf96xKGEEAAO1e8i1ER4561.jpgsuspect/tmp/freeBSD is to be hung it to the program, unfortunately, has been deleted, you cannot view the


The culprit identified, detailed reasons also need a detailed investigation, so now the most important is to solve the problem, quickly kill off the process, once again check up found flow down quickly, more confirms our judgment;

Next you need to find the hijacked hung it to the cause and specifically the hijacking of the way to post-menopausal patients, and through an external search engine is also soon locate the cause of the problem, is the“Elasticsearch remote arbitrary code execution”vulnerability:

  • ElasticSearch with scripting(scripting)functions, you can easily check out the data re-processing; ElasticSearch with the script engine is MVEL, this engine does not do any protection, or the sand box, it can directly execute arbitrary code.; and

  • In ElasticSearch 1.2 previous versions, the default configuration is to open the dynamic scripting functionality, so the user can directly through the http request, execution of arbitrary code.; and

  • In fact, the official is aware of this loophole in the document with instructions:

  • First, you should not run Elasticsearch as the root user, as this would allow a script to access or do anything on your server, without limitations. Second, you should not expose Elasticsearch directly to users, but instead have a proxy application inbetween.

[1] [2] next