Remote Code Execution via eval() in django-haystack Elasticsearch Deserialization
A critical remote code execution (RCE) vulnerability in the Elasticsearch backend of django-haystack allows attackers to execute arbitrary Python commands by manipulating `SearchField` aliases and indexed content, leading to full compromise of the Django application.
A critical remote code execution (RCE) vulnerability (CVSS 8.5 High) has been identified in the Elasticsearch backend of the django-haystack library. This flaw arises when a SearchField is configured with an index_fieldname alias that differs from the logical field name. During the processing of search results, the backend attempts to look up fields by their logical name, but the data is stored under the alias. This lookup failure causes the raw field value to be passed directly to _to_python() which subsequently calls eval() without proper type-safety checks. An attacker who can control content indexed into Elasticsearch, and then trigger a search that returns this malicious content, can inject arbitrary Python expressions such as __import__('os').system(...). This allows for the execution of arbitrary Python and shell commands within the Django application process, potentially leading to full compromise of the server. This vulnerability affects all Django applications utilizing the Elasticsearch backend with index_fieldname aliasing, regardless of the application's authentication mechanisms.
Attack Chain
- An attacker gains control over content that is subsequently indexed into Elasticsearch by the vulnerable Django application.
- The application's
SearchIndexcontains aSearchFielddeclared with anindex_fieldname(e.g.,"name_s") that differs from its logical attribute name (e.g.,"name"). - The attacker-controlled data, specifically a crafted Python expression, is stored in Elasticsearch under the
index_fieldnamealias. - A search operation is performed, retrieving the malicious document from Elasticsearch, including the attacker-controlled
_sourcedata. - During result processing by
ElasticsearchSearchBackend._process_results(), the backend attempts to map Elasticsearch fields to logical field names. - The lookup for the
index_fieldname(e.g.,"name_s") fails becauseindex.fieldsis keyed by logical names (e.g.,"name"). - Due to the failed lookup, the raw, attacker-controlled value from Elasticsearch is passed to
_to_python(value). - The
_to_python()function then unconditionally callseval(value), executing the attacker's injected Python expression with the privileges of the Django application.
Impact
This vulnerability results in Remote Code Execution (RCE), allowing an attacker to execute arbitrary Python and shell commands on the affected server. Successful exploitation grants the attacker the same privileges as the running Django application, leading to a complete compromise of the server's confidentiality, integrity, and availability. The impact extends to all Django applications that use the django-haystack Elasticsearch backend and declare SearchField instances with index_fieldname aliases, irrespective of their authentication configurations. The severity is high, as demonstrated by the CVSS 3.1 Base Score of 8.5.
Recommendation
- Patch the
django-haystacklibrary immediately to apply the provided fix that introducesindex.field_mapremapping and usesast.literal_evalinstead ofeval(). - Deploy the provided Sigma rule to your SIEM to detect the creation of the RCE marker file
/tmp/django_haystack_eval_rce_proof. - Enable process creation logging on Linux servers to ensure visibility into executed commands, which is required for the provided Sigma rule.
- Review all
SearchIndexconfigurations within your Django applications to identify and assess anySearchFielddeclarations usingindex_fieldnamealiases, especially those handling user-controlled input.
Detection coverage 1
Detect django-haystack RCE Marker File Creation
highDetects the creation of a specific marker file `/tmp/django_haystack_eval_rce_proof` with content 'PWNED_BY_EVAL_RCE' via `os.system()` command execution, indicating successful exploitation of the django-haystack Elasticsearch backend RCE vulnerability.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
file_path
1
string
| Type | Value |
|---|---|
| file_path | /tmp/django_haystack_eval_rce_proof |
| string | PWNED_BY_EVAL_RCE |