Nmap Development mailing list archives
Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 13 Mar 2015 14:34:46 -0500
Gyani, Thanks for your great work! A couple more things and we'll be ready to integrate it. I've made a couple changes which I'll link below [1]. Summary of changes: * payload table is created once, then modified if command is set. Prevents code duplication. * Grab Elasticsearch and Java versions instead of executing "uname -a" since that won't work on Windows. This info is already available without the vuln, so I'd like to grab something more useful (System.getProperty(" os.name") or something?), but this demonstrates the vuln at least. * folded strings for easier reading. * Used "highlyunusualstring" instead of "\\A" as a delimiter to grab whole output of command. Backslashes were causing problems for me. * Fixed the problem of needing multiple runs: the blank response was being cached by Nmap's http cache. Also, it needs a few seconds for the result to be available to the search API; I put in a 5-second sleep to solve this issue. * Simplified the addition of a new index, type, and document and made it use a random name * Clean up (DELETE) the new index after exploiting. * Renamed the "brutal" option to "invasive" which matches other documentation a bit better. So what is left? I don't like how we don't give any output if we can't create the new index. We should either: 1. create the index as needed without a script-arg (I don't like this option), or 2. Check the version number (GET / => response.version.number) and set LIKELY_VULN if it matches "1.3.[0-7]" or "1.4.[0-2]". Then proceed to exploit regardless of version reported and set EXPLOITED if that succeeds. Only return nil if it's not Elasticsearch at all. Since we'll be grabbing the version anyway, we should probably set it with nmap.set_port_version(). Dan [1] https://gist.github.com/dmiller-nmap/207089882b237d3434ad On Fri, Mar 13, 2015 at 6:19 AM, Gyanendra Mishra <anomaly.the () gmail com> wrote:
Hi Dan, 1. I added the 'brutal' argument. If there are no indices it creates one. Or else the script returns nil on finding no indices. Issue : The script has to be run once more to get results. The put request returns 201 as expected but when I check if something got added it returns false. Rerunning the script gives correct results. 2. Mistake on my part. I corrected it. 3. I removed the fail function and added a return nil and a debug statement saying 'Could not be parsed'. 4. I created a table which is used to generate the json via the json.generate() method. Escaping the JSON payload using url.escape doesn't work. It leads to no result. 5. I added the result to the exploit_results field. The script is working well now. Just the issue mentioned in point 1 remains. Gyanendra _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 13)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 13)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 14)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 12)