Nmap Development mailing list archives
Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 12 Mar 2015 21:28:04 -0500
Gyanendra, I looked into it some more, and here are my findings: 1. If the target does not have at least one index with a document in it, it is not exploitable. This is an unlikely situation, but we should be able to check it with the "GET /cat/_indices" call (add "?v" for verbose output while you're testing) [1]. However! Since there is no authentication on this service, an attacker (or our script) can add an index and a document, making it exploitable again. This is very invasive, so it probably shouldn't be turned on by default (script-args perhaps). 2. vulns.State.EXPLOITABLE does not exist (is nil). You want vulns.State.EXPLOIT 3. Just some cleanup issues: the fail() function on line 78 is not defined. Should probably be a debug statement and return nil. 4. I think cleanString is doing the wrong thing. The user-provided command should be escaped for a JSON string using json.generate. In fact, it may be best to make the payload a table, then create the actual JSON string with json.generate, since that will handle this level of escaping. Finally, the entire JSON payload must be URI-escaped for the HTTP POST body using uri.escape. 5. We need some way of getting the result of the exploitation to the user. Parse it out and put it in vuln_table.exploit_results. Dan [1] http://www.elastic.co/guide/en/elasticsearch/reference/current/_create_an_index.html On Thu, Mar 12, 2015 at 10:08 AM, Gyanendra Mishra <anomaly.the () gmail com> wrote:
Dan, I have made all the changes as suggested and I have attached a new copy of the script. I tried this script, the curl command (carnal0wnage) and the python script(XiphosResearch) on various vulnerable versions of elasticsearch but got no results. I'll keep trying other versions though. Gyanendra _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 13)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 13)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 14)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 12)