Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search

[Daniel Miller <bonsaiviking () gmail com>]

Gyani,

Thanks for your great work! A couple more things and we'll be ready to
integrate it. I've made a couple changes which I'll link below [1]. Summary
of changes:

* payload table is created once, then modified if command is set. Prevents
code duplication.
* Grab Elasticsearch and Java versions instead of executing "uname -a"
since that won't work on Windows. This info is already available without
the vuln, so I'd like to grab something more useful (System.getProperty("
os.name") or something?), but this demonstrates the vuln at least.
* folded strings for easier reading.
* Used "highlyunusualstring" instead of "\\A" as a delimiter to grab whole
output of command. Backslashes were causing problems for me.
* Fixed the problem of needing multiple runs: the blank response was being
cached by Nmap's http cache. Also, it needs a few seconds for the result to
be available to the search API; I put in a 5-second sleep to solve this
issue.
* Simplified the addition of a new index, type, and document and made it
use a random name
* Clean up (DELETE) the new index after exploiting.
* Renamed the "brutal" option to "invasive" which matches other
documentation a bit better.

So what is left? I don't like how we don't give any output if we can't
create the new index. We should either:

1. create the index as needed without a script-arg (I don't like this
option), or
2. Check the version number (GET / => response.version.number) and set
LIKELY_VULN if it matches "1.3.[0-7]" or "1.4.[0-2]". Then proceed to
exploit regardless of version reported and set EXPLOITED if that succeeds.
Only return nil if it's not Elasticsearch at all.

Since we'll be grabbing the version anyway, we should probably set it with
nmap.set_port_version().

Dan

[1] https://gist.github.com/dmiller-nmap/207089882b237d3434ad

On Fri, Mar 13, 2015 at 6:19 AM, Gyanendra Mishra <anomaly.the () gmail com>
wrote:

> Hi Dan,
>
> 1. I added the 'brutal' argument. If there are no indices it creates one.
> Or else the script returns nil on finding no indices. Issue : The script
> has to be run once more to get results. The put request returns 201 as
> expected but when I check if something got added it returns false.
> Rerunning the script gives correct results.
>
> 2. Mistake on my part. I corrected it.
>
> 3. I removed the fail function and added a return nil and a debug
> statement saying 'Could not be parsed'.
>
> 4. I created a table  which is used to generate the json via the
> json.generate() method. Escaping the JSON payload using url.escape doesn't
> work. It leads to no result.
>
> 5. I added the result to the exploit_results field.
>
> The script is working well now. Just the issue mentioned in point 1
> remains.
>
> Gyanendra
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/