Exploiting ElasticSearch RCE For CVE-2015-1427

I told you so: it is a work for Metabrik. While the main target for Metabrik is not to write exploits (you have Metasploit for that), you can still write Briks within the Audit Category. Based on the exploit provided XiphosResearch, we wrote a Command to verify if an ElasticSearch target is vulnerable, and another Command to exploit the issue to execute commands on the target.

Loading the Brik

As always, if a Brik is not loaded yet, you have to do it. Then, the first thing to do is to ask for help, or how to use the Brik, which Attributes can be set and which Commands can be run.

screenshot

Using a check or an exploit Command

To test a target, you can either use the check_cve_2015_1427_rce  Command or use the exploit_cve_2015_1427_rce Command with an innocuous command. We recommand to use the check one, which is actually made to be innocuous.

To use the check or exploit one, you just have to use the run Metabrik Command with the name of a Command, and add Arguments to it. Some Arguments can be set globally for the Brik: here you may use the set Metabrik Command to set uri Attribute.

Note: And don’t forget to use the <Tab> key to perform completion on every Command, and use the <Up> key to recall previous ones.

Example:

screenshot

Our target is vulnerable. Too bad, but it is an exploit lab, it exists for that.

Exploiting the issue to execute commands

But well, if you are here, it is probably because you want to exploit a Remote Command Execution within ElasticSearch. With Metabrik, it is as easy as:

screenshot

We even added some “post intrusion” work, like downloading a file.

A key feature of Metabrik

Yes, one of the key feature of Metabrik is to assemble Briks together to execute a complete scenario. We have shown how to use Briks, especially the one on exploiting a vulnerability within a product and, after this exploitation process, we have shown that we can use a special $RUN variable with another Brik.

Every:

  • run Command sets the global variable $RUN
  • set Command sets the global variable $SET
  • get Command sets the global variable $GET

Thanks to the $RUN variable, you can chain the use of Briks. In fact, Briks within Metabrik may also be written with other Briks. For instance, audit::elasticsearch Brik relies on:

Here, we have chained a few Briks, and one of them allowed to save a remote file to a local file (file::text). You have more global variables, but that’s enough for today. Follow us on twitter @Metabrik.