Nmap Development mailing list archives
Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 12 Mar 2015 08:50:33 -0500
Gyanendra, This looks like a great start! I spotted a couple things that could be contributing to your difficulty in getting results: 1. String escaping. In the default payload, you have: '"java.lang.Math.class.forName(\"java.lang.System\").getProperty(\"os.name\")"', but Lua interprets escapes the same for single-quoted strings as it does for double-quoted strings (this is different than e.g. Perl). So those backslashes need to be doubled. 2. You should use the `port` variable as an argument to http.post and vulns.Report:new. As it is, your script may run on http ports like 80, 8080, etc. but will always try to contact 9200/tcp. 3. You should be properly escaping the command passed in script-args. There may be an existing escape function in json.lua, but it should be possible with a basic string.gsub. 4. Instead of including the cve.mitre.org link in the references, include the CVE number in the IDS field. It will be turned into a proper reference, and some tools rely on parsing that field to report vulnerabilities. 5. Make sure the script doesn't throw an error when scanning a non-elasticsearch HTTP service. I would add a check for the http status code. The part that checks parsed.hits.hits will error if parsed.hits is nil. 6. If you don't want any output from the script (e.g. it is not ElasticSearch), then return nil, not false. Returning false will actually put the string "false" into the output. Dan On Thu, Mar 12, 2015 at 6:52 AM, Gyanendra Mishra <anomaly.the () gmail com> wrote:
Hi, I tried writing a script inspired by [1] and [2]. ElasticSearch versions 1.3.0 to 1.3.8 and 1.4.0 to 1.4.3 have a remote code execution vulnerability as described in [1]. The script sends a simple post request containing the payload as mentioned in [3],[2]. If the hits table inside the hits table contains something then the script was successful and the target is vulnerable. I tried running the curl command in [1] and [3] and the script by XiphosResearch in [2] on various versions of ElasticSearch (1.3.6,1.3.7,1.3.0,1.4.2) but I couldn't get the desired results. The attached NSE script gets results exactly as the above mentioned commands/script. So I couldn't run any successful tests. I have also added a github link [4] to my script in case I make any changes to it. [1] jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/ [2] https://github.com/XiphosResearch/exploits/blob/master/ElasticSearch/elastic_shell.py [3] carnal0wnage.attackresearch.com/2015/03/elasticsearch-cve-2015-1427-rce-exploit.html [4] https://github.com/h4ck3rk3y/nmap/blob/master/test_scripts/http-vuln-cve2015-1427.nse Gyanendra _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 13)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 13)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 14)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Gyanendra Mishra (Mar 12)
- Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search Daniel Miller (Mar 12)