Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search

[Daniel Miller <bonsaiviking () gmail com>]

Gyanendra,

This looks like a great start! I spotted a couple things that could be
contributing to your difficulty in getting results:

1. String escaping. In the default payload, you have:
'"java.lang.Math.class.forName(\"java.lang.System\").getProperty(\"os.name\")"',
but Lua interprets escapes the same for single-quoted strings as it does
for double-quoted strings (this is different than e.g. Perl). So those
backslashes need to be doubled.

2. You should use the `port` variable as an argument to http.post and
vulns.Report:new. As it is, your script may run on http ports like 80,
8080, etc. but will always try to contact 9200/tcp.

3. You should be properly escaping the command passed in script-args. There
may be an existing escape function in json.lua, but it should be possible
with a basic string.gsub.

4. Instead of including the cve.mitre.org link in the references, include
the CVE number in the IDS field. It will be turned into a proper reference,
and some tools rely on parsing that field to report vulnerabilities.

5. Make sure the script doesn't throw an error when scanning a
non-elasticsearch HTTP service. I would add a check for the http status
code. The part that checks parsed.hits.hits will error if parsed.hits is
nil.

6. If you don't want any output from the script (e.g. it is not
ElasticSearch), then return nil, not false. Returning false will actually
put the string "false" into the output.

Dan

On Thu, Mar 12, 2015 at 6:52 AM, Gyanendra Mishra <anomaly.the () gmail com>
wrote:

> Hi,
>
> I tried writing a script inspired by [1] and [2]. ElasticSearch versions
> 1.3.0 to 1.3.8 and 1.4.0 to 1.4.3 have a remote code execution
> vulnerability as described in [1]. The script sends a simple post request
> containing the payload as mentioned in [3],[2]. If the hits table inside
> the hits table contains something then the script was successful and the
> target is vulnerable. I tried running the curl command in [1] and [3] and
> the script by XiphosResearch in [2] on various versions of ElasticSearch
> (1.3.6,1.3.7,1.3.0,1.4.2) but I couldn't get the desired results. The
> attached NSE script gets results exactly  as  the above mentioned
> commands/script. So I couldn't run any successful tests. I have also added
> a github link [4] to my script in case I make any changes to it.
>
> [1]
> jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
> [2]
> https://github.com/XiphosResearch/exploits/blob/master/ElasticSearch/elastic_shell.py
> [3]
> carnal0wnage.attackresearch.com/2015/03/elasticsearch-cve-2015-1427-rce-exploit.html
> [4]
> https://github.com/h4ck3rk3y/nmap/blob/master/test_scripts/http-vuln-cve2015-1427.nse
>
> Gyanendra
>
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/