2015-04-28 19:02:56

Elasticsearch 任意文件读取漏洞(CVE-2015-3337)

@盛大网络

elasticsearch又出新版本了,这次修复了一个任意文件读取漏洞(写的是目录遍历)。

官方的release notes:

1

在这里看描述:https://github.com/elastic/elasticsearch/pull/10815

在这里看漏洞详情:https://github.com/spinscale/elasticsearch/commit/5d8e9e24c917b5f2c0958ba68be34a42efaeadbc

原来代码是:

if (!Files.exists(file) || Files.isHidden(file)) {
修改后加了验证
if (!Files.exists(file) || Files.isHidden(file) || !file.toAbsolutePath().normalize().startsWith(siteFile.toAbsolutePath())) {
@Test
/** 
+     * Test normalizing of path 
+     */ 
+    @Test 
+    public void testThatPathsAreNormalized() throws Exception { 
+        // more info: https://www.owasp.org/index.php/Path_Traversal 
+        List<String> notFoundUris = new ArrayList<>(); 
+        notFoundUris.add("/_plugin/dummy/../../../../../log4j.properties"); 
+        notFoundUris.add("/_plugin/dummy/../../../../../%00log4j.properties"); 
+        notFoundUris.add("/_plugin/dummy/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%aflog4j.properties"); 
+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html"); 
+        notFoundUris.add("/_plugin/dummy/%2e%2e/%2e%2e/%2e%2e/%2e%2e/index.html"); 
+        notFoundUris.add("/_plugin/dummy/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2findex.html"); 
+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html"); 
+        notFoundUris.add("/_plugin/dummy/..\\..\\..\\..\\..\\log4j.properties"); 
+ 
+        for (String uri : notFoundUris) { 
+            HttpResponse response = httpClient().path(uri).execute(); 
+            String message = String.format(Locale.ROOT, "URI [%s] expected to be not found", uri); 
+            assertThat(message, response.getStatusCode(), equalTo(RestStatus.NOT_FOUND.getStatus())); 
+        } 
+ 
+        // using relative path inside of the plugin should work 
+        HttpResponse response = httpClient().path("/_plugin/dummy/dir1/../dir1/../index.html").execute(); 
+        assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus())); 
+        assertThat(response.getBody(), containsString("<title>Dummy Site Plugin</title>")); 
+    }

最后会这样被调用:

try { 
            byte[] data = Files.readAllBytes(file); 
            channel.sendResponse(new BytesRestResponse(OK, guessMimeType(sitePath), data)); 
        } catch (IOException e) { 
            channel.sendResponse(new BytesRestResponse(INTERNAL_SERVER_ERROR)); 
        }

JDK7的Files把一个文件的内容读取后返回给客户端.

这里详情在:https://github.com/spinscale/elasticsearch/blob/5d8e9e24c917b5f2c0958ba68be34a42efaeadbc/src/main/java/org/elasticsearch/http/HttpServer.java

利用代码:curl http:// @wolf /_plugin/head/xxxxxx,注意curl版本.@wolf

发表回复