7.5
CVSSv2

CVE-2015-1427

Published: 17/02/2015 Updated: 09/10/2018
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 777
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

The Groovy scripting engine in Elasticsearch prior to 1.3.8 and 1.4.x prior to 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

Vulnerability Trend

Affected Products

Vendor Product Versions
ElasticsearchElasticsearch1.3.7, 1.4.0, 1.4.1, 1.4.2

Exploits

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(upd ...

Mailing Lists

This Metasploit module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 143 The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using javalangMathclassforName to ...
Remote unauthenticated code execution exploit for ElasticSearch ...

Nmap Scripts

http-vuln-cve2015-1427

This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).

nmap --script=http-vuln-cve2015-1427 --script-args command= 'ls' <targets>

| http-vuln-cve2015-1427: | VULNERABLE: | ElasticSearch CVE-2015-1427 RCE Exploit | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2015-1427 | Risk factor: High CVSS2: 7.5 | The vulnerability allows an attacker to construct Groovy | scripts that escape the sandbox and execute shell commands as the user | running the Elasticsearch Java VM. | Exploit results: | ElasticSearch version: 1.3.7 | Java version: 1.8.0_45 | References: | http://carnal0wnage.attackresearch.com/2015/03/elasticsearch-cve-2015-1427-rce-exploit.html | https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/ | https://github.com/elastic/elasticsearch/issues/9655 |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1427

Metasploit Modules

ElasticSearch Search Groovy Sandbox Bypass

This module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName to reference arbitrary classes. It can be used to execute arbitrary Java code. This module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.

msf > use exploit/multi/elasticsearch/search_groovy_script
      msf exploit(search_groovy_script) > show targets
            ...targets...
      msf exploit(search_groovy_script) > set TARGET <target-id>
      msf exploit(search_groovy_script) > show options
            ...show and set options...
      msf exploit(search_groovy_script) > exploit

Github Repositories

CVE-2015-1427 This is part of Cved: a tool to manage vulnerable docker containers Cved: gitlabcom/git-rep/cved Image source: githubcom/cved-sources/cve-2015-1427 Image author: githubcom/t0kx/exploit-CVE-2015-1427

Elasticsearch 140 &lt; 142 Remote Code Execution Elasticsearch is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases As the heart of the Elastic Stack, it centrally stores your data so you can discover the expected and uncover the unexpected Vulnerable environment To setup a vulnerable environment for your test you will

Remote Code Execution in a vulnerable Elasticsearch container PoC rely on CVE-2015-1427 exploitation cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2015-1427 Pre-requisites docker docker-compose Launch containers docker-compose up -d Enter in attacker container and play a little with Elastic RCE with docker exec -it elhackstic_badguy_1 bash Check if elastic is responding

Security-Research-Tutorials Personal collection of tutorial resources that can be helpful in my quest to security research and web application hacking Credit to BugCroud, most resources were from thier blog posts Please let me know if you have any suggestions for resources that i should add to this list ##Web applications: XSS Tutorial on cross-site scripting A comprehens

Infection Monkey Data center Security Testing Tool Welcome to the Infection Monkey! The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server The Infection

Shell BotKiller We'll post findings from an infected confluence-systems we investigated recently, to show how it looks/feel like The most systems we took a look at were infected with mining-bots like kerberods With the rise of inexpensive Virtual Servers and popular services that install insecurely by default, coupled with some juicy vulnerabilities (read: RCE - Remote C

BLACKBOx Penetration Testing Framework PASSWORD ATTACKs: MD5, SHA1, SHA224, SHA256, SHA384, SHA512, MSSQL2000, MSSQL2005, MYSQL323, MYSQL41, ORACLE11 CRACKER BRUTEFORCING : Wordpress Bruteforce – Bruteforce wordpress panel FTP Bruteforce – Bruteforcing FTP LOGIN SSH Bruteforce – Bruteforcing SSH LOGIN Admin Page Finder – Find Admin P

hello-world webdirpy -&gt; you can upload code files to scannerbaiducom and detect webshells upload code files to scannerbaiducom [usage:]python webdirpy webdirtargz|webdirzip es_scanpy -&gt; ES scanner:detect ES app usage: es_scanpy [-h] -f IP-with-9200 [-M] [-G] [-T] [--version] optional arguments: -h, --help show this help message and exi

Exploits Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes Current Exploits (index may be out of date) phpMoAdmin Remote Code Execution (CVE-2015-2208) LotusCMS Remote Code Execution (OSVDB-75095) ElasticSearch Remote Code Execution (CVE-2015-1427) ShellShock (httpd) Remote Code Execution (CVE-2014-6271) IISlap - httpsys Denial of Se

Exploits Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes Current Exploits (index may be out of date) phpMoAdmin Remote Code Execution (CVE-2015-2208) LotusCMS Remote Code Execution (OSVDB-75095) ElasticSearch Remote Code Execution (CVE-2015-1427) ShellShock (httpd) Remote Code Execution (CVE-2014-6271) IISlap - httpsys Denial of Se

Exploits Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes Current Exploits (index may be out of date) phpMoAdmin Remote Code Execution (CVE-2015-2208) LotusCMS Remote Code Execution (OSVDB-75095) ElasticSearch Remote Code Execution (CVE-2015-1427) ShellShock (httpd) Remote Code Execution (CVE-2014-6271) IISlap - httpsys Denial of Se

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 address | introduce | -|-|- 名字 | 介绍 | 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦痕迹。 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome awesome系列 wwwowasporgcn/owasp-pr

Recent Articles

Running Elasticsearch 1.4.2 or earlier? There's targeted malware going for your boxen
The Register • Gareth Corfield • 27 Feb 2019

Yes it's years out of date but there's no such thing as security through obscurity

Cisco's security limb has spotted nefarious people targeting Elasticsearch clusters using relatively ancient vulns to plant malware, cryptocurrency miners and worse – though it does root out some other cybercrims’ dodgy wares, cuckoo-style.
"These attackers are targeting clusters using versions 1.4.2 and lower," said the networking giant's infosec arm, Talos, in a post summarising what its honeypot setup had caught for examination.
The seemingly China-based attackers used two kno...

NFL Players, Agents Targeted in Database Extortion Attempt
Threatpost • Tom Spring • 09 Oct 2017

A misconfigured database containing records belonging to 1,133 National Football League players and their agents was exposed via an unsecured Elasticsearch server. The database belongs to the NFL Players Association and includes the home address, phone numbers and IP addresses for hundreds of current and former players.
Kromtech Security Center, which made the discovery on Sept. 26, said the database had been breached by an adversary who left behind a “pleasereadthis” file that demande...

Elasticsearch Honeypot Snares 8,000 Attacks Against RCE Vulnerability
Threatpost • Michael Mimoso • 11 May 2015

Hackers have taken an interest in Elasticsearch, a popular enterprise search engine.
A researcher based in Texas, whose own Elasticsearch server was hacked, today published results collated from a honeypot he built to get a sense of how widespread attacks are against the vulnerability that did in his server.
Jordan Wright said he saw close to 8,000 attempts against his Elastichoney honeypot, most of those (93 percent) coming from Chinese IP address; about 300 unique IPs tried to atta...

Attackers targeting Elasticsearch remote code execution hole
The Register • Darren Pauli • 10 Mar 2015

Devs ring patch alarm bells, drop shell code

Attackers are targeting a patched remote code execution vulnerability in Elasticsearch that grants unauthenticated bad guys access through a buggy API.
The flaw (CVE-2015-1427) within the world's number two enterprise search engine was patched last month.
It relates, for folks at Mitre say, to the Groovy scripting engine in Elasticsearch before versions 1.3.8 and 1.4.3 in which sandbox protections could be bypassed, allowing the execution of arbitrary shell commands with a crafted sc...