Apache Solr CVE-2019-12409 RCE 漏洞复现

This vulnerability stems from the security risk of the ENABLE_REMOTE_JMX_OPTS configuration option in the default configuration file solr.in.sh.

If you use the default solr.in.sh file in the affected version, JMX monitoring is enabled and exposed to RMI_PORT (default=18983) and no authentication is required. If inbound traffic in the firewall has this port turned on, anyone with Solr node network access will be able to access JMX and can upload malicious code to execute on the Solr server.

This vulnerability does not affect users of Windows systems, but only affects some versions of Linux users.

环境搭建

Write to the docker-compose.yml file:

1

2

3

4

5

6

7

version: '2'

services:

solr:

image: vulhub/solr:8.1.1

ports:

- '8983:8983'

- '18983:18983'

Running vulnerability environment:

1

2

docker-compose up -d

docker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db

Check whether the vulnerability configuration is enabled in the Docker target machine environment:

1

2

3

docker ps -a #View the CONTAINER ID of the currently running container

docker exec -it CONTAINER ID /bin/bash #docker's solr configuration file is in /etc/default by default

cat /etc/default/solr.in.sh |grep true #The vulnerability configuration is enabled as shown in the figure below

Browser access: http://IP:8983 to view the Apache solr's management page without logging in.

漏洞复现

Open msf and configure payload

Setting up attacker and victim IP

implement