Apache Solr Remote Code Execution Vulnerability
Apache Solr is an open source distributed search platform built on the Apache Lucene search engine library. A remote code execution vulnerability has been reported on Apache Solr before version 7.1, which allows an attacker to send certain crafted HTTP requests to execute artitrary commands on a remote server.
The code execution vulnerability
Solr uses the term “collection” to define a single search index, which is effectively a logical grouping of index data. Search queries are typically sent to Apache Solr by sending requests to the following URI:
http://:8983/solr/ /select?q=
where
Solr supports the use of event listeners which can be used to trigger actions based on various events sent to the collection (e.g. Update an collection). Event listeners require an event type as well as a handler class. Handler classes may be either a custom class or a built in class. Solr “RunExecutableListener” class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API (http://
POST /solr/newcollection/config HTTP/1.1 Host: localhost:8983 Connection: close Content-Type: application/json Content-Length: 198 "add-listener" : { "event":"postCommit", "name":"somelistener", "class":"solr.RunExecutableListener", "exe":"[command]", <--- Arbitrary command "dir":"solr/bin", <--- Command path "args":["foo","bar"] <--- Command params } } When the postCommit event is triggered, the remote command will be executed on the privilege of the Solr server process.
The above mentioned vulnerability is sufficient for a local privilege escalation attack. To exploit this vulnerability without direct access to the Solr server, there is another vulnerability that can be exploited in a chained attack - The XML external entity expansion vulnerability.
The XML external entity expansion vulnerability
This vulnerability is caused by the lucene xml parser does not prohibit DOCTYPE declarations or the expansion of external entities. A query can be crafted that can cause Solr to make requests via localhost when it attempts to resolve an external entity, resulting in a server-side request forgery.
For example, when the request handled by the Apache Solr, a HTTP GET request to evilurl.com will be made.
http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v=''}Combined with this vulnerability, the attacker could send local requests to the server, turning a local code execution vulnerability to a remote RCE vulnerability.
An exploit is already in the wild on exploit-db. A real world attack consists 3 parts:
- Create a new collection to prepare the URL for the local code execution, using the second vulnerability to call the localhost service URL. (If a collection name is known to the attacker, this step can be skipped)
- Trigger the code execution vulnerability, using the collection name created in step 1.
- Update "newcollection" through XXE to trigger execution of RunExecutableListener. Using the same format of request from step 3.
- The malicious command contained in step 2's JSON payload will be executed.
http://localhost:8983/solr/
SonicWall threat Research team has analyzed the vulnerability and developed the following signatures:
- IPS 13036: Apache Solr Remote Code Execution 1
- IPS 13037: Apache Solr Remote Code Execution 2
