Elasticsearch 任意文件读取漏洞(CVE-2015-3337)

发表评论
835 次浏览

A+

@盛大网络

elasticsearch又出新版本了，这次修复了一个任意文件读取漏洞（写的是目录遍历）。

官方的release notes

在这里看描述:https://github.com/elastic/elasticsearch/pull/10815

在这里看漏洞详情：https://github.com/spinscale/elasticsearch/commit/5d8e9e24c917b5f2c0958ba68be34a42efaeadbc

原来代码是：if (!Files.exists(file) || Files.isHidden(file)) {修改后加了验证if (!Files.exists(file) || Files.isHidden(file) || !file.toAbsolutePath().normalize().startsWith(siteFile.toAbsolutePath())) {

/**


+     * Test normalizing of path
+     */
+    @Test
+    public void testThatPathsAreNormalized() throws Exception {
+        // more info: https://www.owasp.org/index.php/Path_Traversal
+        List<String> notFoundUris = new ArrayList<>();
+        notFoundUris.add("/_plugin/dummy/../../../../../log4j.properties");
+        notFoundUris.add("/_plugin/dummy/../../../../../%00log4j.properties");
+        notFoundUris.add("/_plugin/dummy/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%aflog4j.properties");
+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html");
+        notFoundUris.add("/_plugin/dummy/%2e%2e/%2e%2e/%2e%2e/%2e%2e/index.html");
+        notFoundUris.add("/_plugin/dummy/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2findex.html");
+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html");
+        notFoundUris.add("/_plugin/dummy/..\\..\\..\\..\\..\\log4j.properties");
+
+        for (String uri : notFoundUris) {
+            HttpResponse response = httpClient().path(uri).execute();
+            String message = String.format(Locale.ROOT, "URI [%s] expected to be not found", uri);
+            assertThat(message, response.getStatusCode(), equalTo(RestStatus.NOT_FOUND.getStatus()));
+        }
+
+        // using relative path inside of the plugin should work
+        HttpResponse response = httpClient().path("/_plugin/dummy/dir1/../dir1/../index.html").execute();
+        assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+        assertThat(response.getBody(), containsString("<title>Dummy Site Plugin</title>"));

+ }

最后会这样被调用：

try {


            byte[] data = Files.readAllBytes(file);
            channel.sendResponse(new BytesRestResponse(OK, guessMimeType(sitePath), data));
        } catch (IOException e) {
            channel.sendResponse(new BytesRestResponse(INTERNAL_SERVER_ERROR));

}

JDK7的Files把一个文件的内容读取后返回给客户端.

这里详情在：https://github.com/spinscale/elasticsearch/blob/5d8e9e24c917b5f2c0958ba68be34a42efaeadbc/src/main/java/org/elasticsearch/http/HttpServer.java

利用代码：curl http:// @wolf /_plugin/head/xxxxxx,注意curl版本.@wolf

1#

luwikes (土豆你个西红柿，番茄你个马铃薯～～～) | 2015-04-28 17:55

+1024
2#

天噬小然 | 2015-04-28 17:59

难道我是第一个吗.?
3#

寂寞的瘦子 (傻逼了。。) | 2015-04-28 18:00

园长小花喵
4#

YY-2012 (#)<alert(“dandan”)>(#) | 2015-04-28 18:01

吓屎
5#

齐迹 (sec.zbj.com 欢迎来撸) | 2015-04-28 18:36

哦哦哦。。。又要升级鸟！
6#

winsyk (W) | 2015-04-28 18:41

你确定这个是elasticsearch的漏洞，而不是插件的漏洞？
7#
感谢(2)

园长 (喵~) | 2015-04-28 18:45

@winsyk 确定，因为插件模块是es自身实现的，描述里面有：The vulnerability is exposed when a “site plugin” is installed. Elastic’s Marvel
plugin and many community-sponsored plugins (e.g. Kopf, BigDesk, Head) are site plugins.
8#

TellYouThat | 2015-04-28 19:39

mark
9#

飘过的红花 | 2015-04-28 20:43

又是一轮的腥风血雨啊
10#

Sura、Rain | 2015-04-29 09:37

马赛克打得漂亮
11#
感谢(1)

园长 (喵~) | 2015-04-29 09:48

@Sura、Rain 故意的XXXXXX
12#

by灰客 | 2015-04-29 10:17

@园长 hi
13#

爱捣蛋的鬼 | 2015-04-29 13:54

好奇,es一般不都是放内网里面给应用提供查询服务的吗
14#

_Evil (科普是一种公益行为) | 2015-04-29 16:48

@wolf 啊?
15#
感谢(1)

园长 (喵~) | 2015-04-29 17:08

@_Evil 数据狗，看招… biu~biu~
16#

’‘Nome (<?:”{}!%^#&*?>) | 2015-04-29 17:20

@园长园长升猴子不
17#

Fire ant | 2015-04-30 17:36

@爱捣蛋的鬼 es外网一大堆
18#

wolf (http://www.xiyv.net) | 2015-04-30 20:24

@_Evil 啊啥
19#

_Evil (科普是一种公益行为) | 2015-05-04 11:33

@园长真调皮不过我喜欢
20#

我是壮丁 | 2015-05-22 10:29

https://www.exploit-db.com/exploits/37054/
21#

大亮 (研究研究) | 2015-05-25 09:19

mark一下

发表评论取消回复

登录 找回密码

登录找回密码