Published: 17/02/2015 Updated: 09/10/2018

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 795

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The Groovy scripting engine in Elasticsearch prior to 1.3.8 and 1.4.x prior to 1.4.3 allows remote malicious users to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

Vulnerable Product	Search on Vulmon	Subscribe to Product
elasticsearch elasticsearch 1.4.0
elasticsearch elasticsearch 1.4.1
elasticsearch elasticsearch 1.4.2
elasticsearch elasticsearch

Remote unauthenticated code execution exploit for ElasticSearch ...

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(upd ...

#!/bin/python2 # coding: utf-8 # Author: Darren Martyn, Xiphos Research Ltd # Version: 201503091 # Licence: WTFPL - wtfplnet import json import requests import sys import readline readlineparse_and_bind('tab: complete') readlineparse_and_bind('set editing-mode vi') __version__ = "201503091" def banner(): print """\x1b[1;32m ▓███� ...

This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).

nmap --script=http-vuln-cve2015-1427 --script-args command= 'ls' <targets>

| http-vuln-cve2015-1427:
|   VULNERABLE:
|   ElasticSearch CVE-2015-1427 RCE Exploit
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2015-1427
|     Risk factor: High  CVSS2: 7.5
|       The vulnerability allows an attacker to construct Groovy
|           scripts that escape the sandbox and execute shell commands as the user
|           running the Elasticsearch Java VM.
|     Exploit results:
|       ElasticSearch version: 1.3.7
|       Java version: 1.8.0_45
|     References:
|       http://carnal0wnage.attackresearch.com/2015/03/elasticsearch-cve-2015-1427-rce-exploit.html
|       https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
|       https://github.com/elastic/elasticsearch/issues/9655
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1427

This script attempts to detect a vulnerability, CVE-2015-1427, which allows attackers to leverage features of this API to gain unauthenticated remote code execution (RCE).

nmap --script=http-vuln-cve2015-1427 --script-args command= 'ls' <targets>

| http-vuln-cve2015-1427:
|   VULNERABLE:
|   ElasticSearch CVE-2015-1427 RCE Exploit
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2015-1427
|     Risk factor: High  CVSS2: 7.5
|       The vulnerability allows an attacker to construct Groovy
|           scripts that escape the sandbox and execute shell commands as the user
|           running the Elasticsearch Java VM.
|     Exploit results:
|       ElasticSearch version: 1.3.7
|       Java version: 1.8.0_45
|     References:
|       http://carnal0wnage.attackresearch.com/2015/03/elasticsearch-cve-2015-1427-rce-exploit.html
|       https://jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/
|       https://github.com/elastic/elasticsearch/issues/9655
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1427

CVE-2015-1427 参数 -u 单个url -l 指定url文件 -c 指定命令

We'll post findings from an infected confluence-systems we investigated recently, to show how it looks/feel like. the most systems we took a look at were infected with mining-bots like kerberods.

Shell BotKiller We'll post findings from an infected confluence-systems we investigated recently, to show how it looks/feel like The most systems we took a look at were infected with mining-bots like kerberods With the rise of inexpensive Virtual Servers and popular services that install insecurely by default, coupled with some juicy vulnerabilities (read: RCE - Remote C

Infection Monkey Data center Security Testing Tool Welcome to the Infection Monkey! The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server The Infecti

BLACKBOx Penetration Testing Framework PASSWORD ATTACKs: MD5, SHA1, SHA224, SHA256, SHA384, SHA512, MSSQL2000, MSSQL2005, MYSQL323, MYSQL41, ORACLE11 CRACKER BRUTEFORCING : Wordpress Bruteforce – Bruteforce wordpress panel FTP Bruteforce – Bruteforcing FTP LOGIN SSH Bruteforce – Bruteforcing SSH LOGIN Admin Page Finder – Find Admin P

Personal collection of tutorial resources

Security-Research-Tutorials Personal collection of tutorial resources that can be helpful in my quest to security research and web application hacking Credit to BugCroud, most resources were from thier blog posts Please let me know if you have any suggestions for resources that i should add to this list ##Web applications: XSS Tutorial on cross-site scripting A comprehens

hello-world webdirpy -> you can upload code files to scannerbaiducom and detect webshells upload code files to scannerbaiducom [usage:]python webdirpy webdirtargz|webdirzip es_scanpy -> ES scanner:detect ES app usage: es_scanpy [-h] -f IP-with-9200 [-M] [-G] [-T] [--version] optional arguments: -h,

Remote Code Execution in a vulnerable Elasticsearch container

Remote Code Execution in a vulnerable Elasticsearch container PoC rely on CVE-2015-1427 exploitation cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2015-1427 Pre-requisites docker docker-compose Launch containers docker-compose up -d Enter in attacker container and play a little with Elastic RCE with docker exec -it elhackstic_badguy_1 bash Check if elastic is responding

BLACKBOx Penetration Testing Framework

Elasticsearch 1.4.0 < 1.4.2 Remote Code Execution exploit and vulnerable container

Elasticsearch 140 < 142 Remote Code Execution Elasticsearch is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases As the heart of the Elastic Stack, it centrally stores your data so you can discover the expected and uncover the unexpected Vulnerable environment To setup a vulnerable environment for your test you will

ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞（CVE-2015-1427）测试环境 jre版本：openjdk:8-jre elasticsearch版本：v142 原理参考文章： cbdropswiki/drops/papers-5107html jordan-wrightcom/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427/ githubcom/XiphosResearch/exploits cbdropswiki/dr

cve-2015-1427

CVE-2015-1427 This is part of Cved: a tool to manage vulnerable docker containers Cved: githubcom/git-rep-src/cved Image source: githubcom/cved-sources/cve-2015-1427 Image author: githubcom/t0kx/exploit-CVE-2015-1427

Running Elasticsearch 1.4.2 or earlier? There's targeted malware going for your boxen

The Register • Gareth Corfield • 27 Feb 2019

Yes it's years out of date but there's no such thing as security through obscurity

Cisco's security limb has spotted nefarious people targeting Elasticsearch clusters using relatively ancient vulns to plant malware, cryptocurrency miners and worse – though it does root out some other cybercrims’ dodgy wares, cuckoo-style. "These attackers are targeting clusters using versions 1.4.2 and lower," said the networking giant's infosec arm, Talos, in a post summarising what its honeypot setup had caught for examination. The seemingly China-based attackers used two known vulnerabi...

CVE-2015-1427

Vulnerability Summary

Vulnerability Trend

Exploits

Nmap Scripts

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect