Nmap Development mailing list archives
Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search
From: Gyanendra Mishra <anomaly.the () gmail com>
Date: Thu, 21 May 2015 15:40:38 +0530
Dan, I made the changes as suggested and committed to rev34503. There was an issue in the cleanup function in which we were referring to the variable `response` instead of `r`. I changed that as well, also added a debug message before the script goes to sleep. How do the NSEDocs get updated? Gyani On Thu, May 21, 2015 at 8:23 AM, Daniel Miller <bonsaiviking () gmail com> wrote:
Gyani, This looks good! If you can fix the following minor issues, you can go ahead and commit this (check with me on IRC if you are unsure about procedures): * Don't use nocache options for the initial version check; this was only needed for the index check later on. * For the @output section, use the output of a run without a custom command, i.e. containing "ElasticSearch version:" and "Java version:". Also make sure the "ISSUE" is not part of this section. * Convert stdnse.print_debug calls to stdnse.debug * Cleanup trailing whitespace. Dan On Sat, Mar 14, 2015 at 5:28 AM, Gyanendra Mishra <anomaly.the () gmail com> wrote:Hi, Thanks for your help! On Sat, Mar 14, 2015 at 1:04 AM, Daniel Miller <bonsaiviking () gmail com> wrote:So what is left? I don't like how we don't give any output if we can't create the new index. We should either: 1. create the index as needed without a script-arg (I don't like this option), or 2. Check the version number (GET / => response.version.number) and set LIKELY_VULN if it matches "1.3.[0-7]" or "1.4.[0-2]". Then proceed to exploit regardless of version reported and set EXPLOITED if that succeeds. Only return nil if it's not Elasticsearch at all.I too found option 2 better. I implemented the same in the attached script. Now the script checks for the version, if a vulnerable version is found then it sets vuln_table.state to LIKELY_VULN along with updating the port version. The report table is returned instead of nil in most places now. Gyanendra
-- *Gyanendra Mishra* Computer Science and Engineering Sophmore, BITS Pilani
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (May 20)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (May 21)