Shulou(Shulou.com)05/31 Report--

This article introduces Apache Solr unauthorized upload RCE vulnerability CVE-2020-13957 principle analysis and verification is how, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Brief introduction of vulnerabilities

Apache Solr issued an announcement that there is a risk of unauthorized upload vulnerabilities in older versions of ConfigSet API, which could lead to RCE (remote code execution).

Affected version:

Apache Solr6.6.0-6.6.5

Apache Solr7.0.0-7.7.3

Apache Solr8.0.0-8.6.2

Security experts recommend that users upgrade to a secure version as soon as possible to address the risk.

Loophole principle

Solr can run in SolrCloud (distributed cluster mode) and StandaloneServer (stand-alone server mode). When running in SolrCloud mode, you can operate Configsets through Configset API, including creation, deletion and so on.

For UPLOAD via Configset API, if authentication is enabled (not enabled by default) and the request is authenticated, Solr sets "trusted" for the configset, otherwise the configuration set will not be trusted and the untrusted configset cannot create the collection.

However, when an attacker uploads a configset through UPLOAD and is based on this configsetCREATE configset, Solr does not perform a trust check for this new configset, resulting in the creation of a collection with a new configset that is not checked by trust.

Vulnerability verification

First, make an attack attempt in version 8.6.2

1. Debug runs version 8.6.2, which is enabled on port 8983 by default.

2. Use the sample to construct the uploaded configset

3. Trigger breakpoints during upload

As you can see, configset is correctly identified as untrustworthy (lack of authentication)

Trust value is false

4. Use the uploaded configset as the master to create a new configset

Http://localhost:8983/solr/admin/configs?action=CREATE&name=evilconfigset4&baseConfigSet=2testConfigSet&configSetProp.immutable=false&wt=xml&omitHeader=true

No return message, no debug triggered

5. You can see that the evilconfigset4 has been created successfully in the web console.

6. Creating a collection using a directly uploaded configset (such as 2testconfigset) will fail

7. Use the evilconfigset4 created with 2testconfigset as the master to create collection successfully.

8. Later, you can use the contents of the created collection to call the solr component for remote code execution (no analysis here)

II. Analysis of 8.6.3 version repair

1. Debug runs version 8.6.3.

2. Make an attack attempt, similar to version 8.6.2, and upload configset

3. Trigger breakpoint

Correctly identified as untrusted configset

4. Use the uploaded 2testconfigset as the master to create a new configset

Http://localhost:8983/solr/admin/configs?action=CREATE&name=evilconfigset4&baseConfigSet=2testConfigSet&configSetProp.immutable=false&wt=xml&omitHeader=true

5. Trigger breakpoint

Correctly identified as an untrusted configset (note that in version 8.6.2, a check is not triggered when a new configset is created with the uploaded configset as the master)

6. Configset can also be created successfully

7. In the web console, create a new collection using the directly uploaded configset (2testconfigset) and the created (evilconfigset4), respectively.

2testconfigset:

Evilconfigset4:

All failed to be created.

On the Apache Solr unauthorized upload RCE vulnerability CVE-2020-13957 principle analysis and verification is how to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.