Elasticsearch 任意文件读取漏洞(CVE-2015-3337)

  • A+
所属分类:WooYun-Zone

@盛大网络

elasticsearch又出新版本了,这次修复了一个任意文件读取漏洞(写的是目录遍历)。

Elasticsearch 任意文件读取漏洞(CVE-2015-3337)

官方的release notes

在这里看描述:https://github.com/elastic/elasticsearch/pull/10815

在这里看漏洞详情:https://github.com/spinscale/elasticsearch/commit/5d8e9e24c917b5f2c0958ba68be34a42efaeadbc

原来代码是:if (!Files.exists(file) || Files.isHidden(file)) {修改后加了验证if (!Files.exists(file) || Files.isHidden(file) || !file.toAbsolutePath().normalize().startsWith(siteFile.toAbsolutePath())) {

/**

+     * Test normalizing of path

+     */

+    @Test

+    public void testThatPathsAreNormalized() throws Exception {

+        // more info: https://www.owasp.org/index.php/Path_Traversal

+        List<String> notFoundUris = new ArrayList<>();

+        notFoundUris.add("/_plugin/dummy/../../../../../log4j.properties");

+        notFoundUris.add("/_plugin/dummy/../../../../../%00log4j.properties");

+        notFoundUris.add("/_plugin/dummy/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%aflog4j.properties");

+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html");

+        notFoundUris.add("/_plugin/dummy/%2e%2e/%2e%2e/%2e%2e/%2e%2e/index.html");

+        notFoundUris.add("/_plugin/dummy/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2findex.html");

+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html");

+        notFoundUris.add("/_plugin/dummy/..\\..\\..\\..\\..\\log4j.properties");

+

+        for (String uri : notFoundUris) {

+            HttpResponse response = httpClient().path(uri).execute();

+            String message = String.format(Locale.ROOT, "URI [%s] expected to be not found", uri);

+            assertThat(message, response.getStatusCode(), equalTo(RestStatus.NOT_FOUND.getStatus()));

+        }

+

+        // using relative path inside of the plugin should work

+        HttpResponse response = httpClient().path("/_plugin/dummy/dir1/../dir1/../index.html").execute();

+        assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));

+        assertThat(response.getBody(), containsString("<title>Dummy Site Plugin</title>"));

+    }

最后会这样被调用:

try {

            byte[] data = Files.readAllBytes(file);

            channel.sendResponse(new BytesRestResponse(OK, guessMimeType(sitePath), data));

        } catch (IOException e) {

            channel.sendResponse(new BytesRestResponse(INTERNAL_SERVER_ERROR));

        }

JDK7的Files把一个文件的内容读取后返回给客户端.

这里详情在:https://github.com/spinscale/elasticsearch/blob/5d8e9e24c917b5f2c0958ba68be34a42efaeadbc/src/main/java/org/elasticsearch/http/HttpServer.java

利用代码:curl http:// @wolf /_plugin/head/xxxxxx,注意curl版本.@wolf

  1. 1#

    luwikes (土豆你个西红柿,番茄你个马铃薯~~~) | 2015-04-28 17:55

    +1024

  2. 2#

    天噬小然 | 2015-04-28 17:59

    难道我是第一个吗.?

  3. 3#

    寂寞的瘦子 (傻逼了。。) | 2015-04-28 18:00

    园长小花喵

  4. 4#

    YY-2012 (#)<alert(“dandan”)>(#) | 2015-04-28 18:01

    吓屎

  5. 5#

    齐迹 (sec.zbj.com 欢迎来撸) | 2015-04-28 18:36

    哦哦哦。。。又要升级鸟!

  6. 6#

    winsyk (W) | 2015-04-28 18:41

    你确定这个是elasticsearch的漏洞,而不是插件的漏洞?

  7. 7#
    感谢(2)

    园长 (喵~) | 2015-04-28 18:45

    @winsyk 确定,因为插件模块是es自身实现的,描述里面有:The vulnerability is exposed when a “site plugin” is installed.  Elastic’s Marvel
    plugin and many community-sponsored plugins (e.g. Kopf, BigDesk, Head) are site plugins.

  8. 8#

    TellYouThat | 2015-04-28 19:39

    mark

  9. 9#

    飘过的红花 | 2015-04-28 20:43

    又是一轮的腥风血雨啊

  10. 10#

    Sura、Rain | 2015-04-29 09:37

    马赛克打得漂亮

  11. 11#
    感谢(1)

    园长 (喵~) | 2015-04-29 09:48

    @Sura、Rain 故意的XXXXXX

  12. 12#

    by灰客 | 2015-04-29 10:17

    @园长 hi

  13. 13#

    爱捣蛋的鬼 | 2015-04-29 13:54

    好奇,es一般不都是放内网里面给应用提供查询服务的吗

  14. 14#

    _Evil (科普是一种公益行为) | 2015-04-29 16:48

    @wolf 啊?

  15. 15#
    感谢(1)

    园长 (喵~) | 2015-04-29 17:08

    @_Evil 数据狗,看招… biu~biu~

  16. 16#

    ’‘Nome (<?:”{}!%^#&*?>) | 2015-04-29 17:20

    @园长 园长升猴子不

  17. 17#

    Fire ant | 2015-04-30 17:36

    @爱捣蛋的鬼 es外网一大堆

  18. 18#

    wolf (http://www.xiyv.net) | 2015-04-30 20:24

    @_Evil 啊啥

  19. 19#

    _Evil (科普是一种公益行为) | 2015-05-04 11:33

    @园长 真调皮 不过我喜欢

  20. 20#

    我是壮丁 | 2015-05-22 10:29

    https://www.exploit-db.com/exploits/37054/

  21. 21#

    大亮 (研究研究) | 2015-05-25 09:19

    mark一下