Ivan Novikov - ElasticSearch is secure?

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
July 03, 2015

Ivan Novikov - ElasticSearch is secure?

DEFCON Moscow 9

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

July 03, 2015
Tweet

Transcript

  1. 2.

    What is ElasticSearch? “Elasticsearch is a distributed RESTful search engine

    built for the cloud.“ Official repo: https://github.com/elastic/elasticsearch Distributed Lucene instances broker • RESTful API • Native Java API Clients: https://www.elastic.co/guide/index.html
  2. 3.

    Previous works • NoSQL Injection for Elasticsearch Kindle Edition by

    Gary Drocella http://goo.gl/OnfMOz => ACL to 9200 and 9300 • NoSQL Injections: Moving Beyond 'or '1'='1'. Matt Bromiley Derbycon 2014 http://goo.gl/UBh42h => do not produce JSON by strings concatenation • Securing ElasticSearch http://goo.gl/Ik3023 => Use Nginx to provide BasicAuth and other advices
  3. 4.
  4. 5.

    Previous bugs: 5 CVE https://www.elastic.co/community/security • CVE-2015-4165 is not disclosed

    yet ;( “All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.” • CVE-2015-3337 path trav. https://goo.gl/YWwu3a • CVE-2015-1427 Groovy RCE https://goo.gl/Bi9SfC • CVE-2014-6439 CORS issue https://goo.gl/7kMxod • CVE-2014-3120 Java RCE https://goo.gl/iZL5L8
  5. 8.

    What is my point? • Want to hack it through

    web-applications • Because it’s really rare case when ES is present at network perimeter • To check wrappers for different platforms for input validation attacks • Yes, the same as with Memcached injections https://goo.gl/9qV620 [BHUS-14]
  6. 10.

    • RESTful tricks (while user data at URL ../ et

    al.) • JSON syntax breakers ( \ “ } { ] [ ) • Native Java API • Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) Input validation kinds
  7. 11.

    • RESTful tricks (while user data at URL ../ et

    al.) • JSON syntax breakers ( \ “ } { ] [ ) • Native Java API <- Only about RESTful clients now • Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) <- ES internals, not clients Input validation kinds
  8. 12.

    • All URI parts goes through PHP urlencode(). But dot

    (0x2e) IS NOT encoded by RFC • json_encode protects from injections into values $params = array(); $params['body'] = array('testField' => 'abc'); $params['index'] = '..'; $params['type'] = '_shutdown'; // Document will be indexed to my_index/my_type/<autogenerated_id> $ret = $client->index($params); elasticsearch original
  9. 13.

    • URI parts “as is” • json_encode protects from injections

    into values $results = $es ->setIndex("what/../do/you/want!/") ->setType("and/../here/also!") ->search('title:cool&key=value&script_fields');//CVE nervetattoo
  10. 14.

    But it’s a raw socket, baby! $results = $es ->setIndex("

    HTTP/1.1\r\n…”script”:”...”") // CVE ->setType("my_type") ->search('title:cool'); nervetattoo
  11. 15.

    • Use DSL methods • Index name and type are

    not for users • Do not concatenate strings to JSON • Always filter data before putting into wrappers Conclusions