Elastic’s data aggregation product, Elasticsearch (versions 1.3.0-1.3.7 and 1.4.0-1.4.2) is vulnerable to remote code execution via groovy code script. Elasticsearch is used by major companies such as FICO, Ebay, and WordPress to keep track of data.The script allows for the attacker to escape the Elasticsearch sandbox environment and execute shell commands. These shell commands could be used to retrieve data or inject additional malware.
I found a great example analysis of this vulnerability by MalwareMustDie, a white-hat security group. In their example, the attacker once gaining shell access uses the security auditing tool Lynis to run a scan on the compromised host to determine other possible attack surfaces. After running the scan, results of the report are sent to a remote host for further actions.
Initial actions by the attacker are for reconnaissance purposes. A script is run that recursively enumerates the filesystem and stores a list of all possible directories in tar file in a temp folder. This initial script also determines the privileges of the current user and makes note if they are root or not. The script also stores all possible executable commands in a “cmdlst” variable for later use.
Once information is collected about the commands, current user, and filesystem, the Linux security audit tool Lynis is downloaded and ran. The results of the report are saved in the same temp folder created during the initial information gathering stage. Once the packaged tar file included the report and other information is sent to a remote host, the script deletes all traces of files and directories created during the attack.
The blog then analyzes ELF malware dubbed “Linux/DES.Downloader” that is downloaded as a result of the script ran. This script proceeds to download a GIF image that includes 5k of additional data after the file signature terminator within the file. Further analysis determined that the questionable data is in fact a shell script backdoor, encrypted using XOR encryption.