Dienstag, 10. März 2015

Protect from ElasticSearch RCE (CVE-2015-1427) & JetLeak with Naxsi

there had been some buzz about the latest
elasticsearch-rce-vuln recently, but all exploits i've seen
so far are getting blocked if you run the naxsi_core.rules
wirth high  XSS/SQL-scores due to many brackets, quotes
and backslashes.

there exists a generic signature in the doxi-rules that was designed to detect
such kinds of attacks against java-based applications: 

MainRule "str:java.lang." "msg:Possible Java.Lang - Injection
(URL-Args & POST-Body)" "mz:BODY|ARGS" "s:$UWA:8" id:42000348  ;

sig: http://spike.nginx-goodies.com/rules/view/42000348

about the vuln:

the POC: https://github.com/XiphosResearch/exploits/tree/master/ElasticSearch

btw and IMHO: whoever runs elasticsearch NOT protected by firewalls and/or reverse proxies deserves to get 0wned,  given the elasticsearch-vuln-trackrecord including various RCEs in the last 2 years.


on JettyLeak: who runs Jetty behind nginx is safe, since nginx itself
blocks any request as malicious, so no naxsi-sig needed.
apachy btw happily forwards the mailicious request.

more info: https://8ack.de/news-der-woche/1425115452