apache solr injection
play

Apache Solr Injection Michael Stepankin @artsploit DEF CON 27 - PowerPoint PPT Presentation

Sep 27, 2023 •98 likes •518 views

Apache Solr Injection Michael Stepankin @artsploit DEF CON 27 @whoami Michael Stepankin Security Researcher @ Veracode Web app breaker Works on making Dynamic and Static Code Analysis smarter Penetration tester in the

  1. Apache Solr Injection Michael Stepankin @artsploit DEF CON 27

  2. @whoami – Michael Stepankin • Security Researcher @ Veracode • Web app breaker • Works on making Dynamic and Static Code Analysis smarter • Penetration tester in the past • Never reported SSL ciphers

  3. Ones upon a time on bug bounty…

  4. What is Solr? • Solr is the popular, blazing-fast, open source enterprise search platform built on Apache Lucene • Written in Java, open source • REST API as a main connector • Used by many companies (AT&T, eBay, Netflix, Adobe etc…) https://lucene.apache.org/solr/

  5. How does it look like?

  6. Solr Quick Start //add some data //start solr $ ./bin/solr start -e dih //search data

  7. Solr 101: simple query Requested content-type

  8. Solr 101: more complex query Request Handler (select, update, config) Collection (‘database’) name Parser type Local parameter name (default field)

  9. Solr 101: more complex query Requested Fields (columns) Subquery for column ‘similar’ Requested response type

  10. Common Solr Usage in Web App :

  11. Solr Parameter Injection (HTTP Query Injection) : Browser /search?q=Apple%26xxx=yyy%23 Solr /solr/db/select?q=Apple&xxx=yyy#&fl=id,name&rows=10

  12. Solr Parameter Injection: Magic Parameters GET /solr/db/select?q=Apple&shards=http://127.0.0.1:8984/solr/db&qt=/ config%23&stream.body={"set-property":{"xxx":"yyy"}}&isShard=true • shards=http://127.0.0.1:8984/solr/db - allows to forward this request to the specified url • qt=/config%23 – allows to rewrite query • stream.body={"set-property":{"xxx":"yyy"}} – treated by Solr as a POST body • isShard=true - needed to prevent body parsing while proxying

  13. Solr Parameter Injection: Magic Parameters GET /solr/db/select?q=Apple&shards=http://127.0.0.1:8984/solr/db&qt=/ config%23&stream.body={"set-property":{"xxx":"yyy"}}&isShard=true

  14. Solr Parameter Injection: collection name leak

  15. Solr Parameter Injection: update another collection * The error is thrown after the update is done

  16. Solr Parameter Injection: query another collection * We can rename columns in our query to match the original collection

  17. Solr Parameter Injection: JSON response rewriting * json.wrf parameter acts like a JSONp callback, May work depending on the app’s JSON parser

  18. Solr Parameter Injection: XML response poisoning * ValueAugmenterFactory adds a new field to every returned document

  19. Solr Parameter Injection: XSS via response poisoning * Xml Transformer inserts a valid XML fragment in the document

  20. Solr Local Parameter Injection : Browser /search?q={!dismax+xxx=yyy}Apple Solr /solr/db/select?q={!dismax+xxx=yyy}Apple&fl=id…

  21. Solr Local parameter injection • Known since 2013, but nobody knew how to exploit • We can specify only the parser name and local parameters • ‘shards’, ‘stream.body‘ are not ‘local’ • XMLParser is the rescue!:

  22. Solr Local parameter injection: CVE-2017-12629 • XMLParser is vulnerable to XXE, allowing to perform SSRF: • Therefore, all ‘shards’ magic also works if we can only control the ‘q’ param!

  23. Wait! Are you mad telling us about HTTP injection, XXE and (even) XSS? Where is my CALCULATOR!!!???

  24. Ways to RCE • Documentation does not really help • But It’s java, so…. • For sure it has XXEs • For sure it has Serialization • Indeed it has ScriptEngine() • Indeed it even has Runtime.exec()

  25. CVE-2017-12629 RunExecutableListener RCE Target versions: 5.5x-5.5.4, 6x-6.6.3, 7x – 7.1 Requirements: None

  26. CVE-2017-12629 RunExecutableListener via shards • (step 1) Add a new query listener • (step 2) Perform any update operation *Tnx Olga Barinova (@_lely___) for help with making it work J

  27. CVE-2017-12629 RunExecutableListener via XXE • (step 1) Add a new query listener • (step 2) Perform any update operation

  28. CVE-2019-0192 RCE via jmx.serviceUrl Target versions: 5x – 6x. In v7-8 JMX is ignored Requirements: OOB connection or direct access

  29. CVE-2019-0192 RCE via jmx.serviceUrl What happen inside? Leads to un.rmi.transport.StreamRemoteCall#executeCall and then to ObjectInputStream.readObject()

  30. CVE-2019-0192 RCE via jmx.serviceUrl 1st way to exploit (via deserialization) • Start a malicious RMI server serving ROME2 object payload on port 1617 • Trigger a Solr connection to the malicious RMI server by setting the jmx.serviceUrl property • RMI server responds with a serialized object, triggering RCE on Solr *Note: ROME gadget chain requires Solr extraction libraries in the classpath

  31. CVE-2019-0192 RCE via jmx.serviceUrl

  32. CVE-2019-0192 RCE via jmx.serviceUrl 2nd way to exploit (via JMX) • Create an innocent rmiregistry • Trigger a Solr connection to the rmiregistry by setting the jmx.serviceUrl property. It will register Solr’s JMX port on our rmiregistry.

  33. CVE-2019-0192 RCE via jmx.serviceUrl 2nd way to exploit (via JMX) • Connect to the opened JMX port and create a malicious MBean

  34. CVE-2019-0193 DataImportHandler RCE Target version: 1.3 – 8.2 Requirements: DataImportHandler enabled

  35. CVE-2019-0193 DataImportHandler RCE

  36. Example: search.maven.org

  37. Example: search.maven.org

  38. Example: search.maven.org

  39. Example: search.maven.org

  40. Example: search.maven.org

  41. Thank you! F u ll wh ite p a p e r a t: h ttp s ://g ith u b .c o m/v e ra c o d e - re s e a rc h /s o lr-in jectio n

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Apache Lucene 5 New Features and Improvements for Apache Solr and Elasticsearch Uwe Schindler

Apache Lucene 5 New Features and Improvements for Apache Solr and Elasticsearch Uwe Schindler

Apache Lucene 5 New Features and Improvements for Apache Solr and Elasticsearch Uwe Schindler Apache Software Foundation | SD DataSolutions GmbH | PANGAEA My Background Committer and PMC member of Apache Lucene and Solr - main focus is on

1.09k views • 83 slides
Apache Solr An experience report 2013-10-23 - Corsin Decurtins Apache Solr Notes Full-Text

Apache Solr An experience report 2013-10-23 - Corsin Decurtins Apache Solr Notes Full-Text

Apache Solr An experience report 2013-10-23 - Corsin Decurtins Apache Solr Notes Full-Text Search Engine Fast Apache Lucene Project Proven and Well-Known Technology based on Apache Lucene Java based Open APIs Customizable Clustering

1.02k views • 69 slides
Faceted Searching With Apache Solr October 13, 2006 Chris Hostetter hossman apache org

Faceted Searching With Apache Solr October 13, 2006 Chris Hostetter hossman apache org

Faceted Searching With Apache Solr October 13, 2006 Chris Hostetter hossman apache org http://incubator.apache.org/solr/ What is Faceted Searching? 2 Example: Epicurious.com 3 Example: Nabble.com 4 Example: CNET.com 5 Aka:

774 views • 35 slides
What's coming next? Uwe Schindler SD DataSolutions GmbH / Apache Software Foundation thetaph1

What's coming next? Uwe Schindler SD DataSolutions GmbH / Apache Software Foundation thetaph1

Apache Lucene and Solr 8: What's coming next? Uwe Schindler SD DataSolutions GmbH / Apache Software Foundation thetaph1 https://www.thetaphi.de My Background Committer and PMC member of Apache Lucene and Solr - main focus is on

785 views • 37 slides
optimizations for e-commerce search with Apache Solr Tomasz Sobczak, MICES 2017 About me Work

optimizations for e-commerce search with Apache Solr Tomasz Sobczak, MICES 2017 About me Work

Performance optimizations for e-commerce search with Apache Solr Tomasz Sobczak, MICES 2017 About me Work at Lucene, Solr and Elasticsearch Everything related to search tech & business Focus on search relevancy Enterprise Search Warsaw

946 views • 29 slides
Apache Solr la piattaforma di ricerca enterprise LucaBonesini | Titulus User Group, Kion

Apache Solr la piattaforma di ricerca enterprise LucaBonesini | Titulus User Group, Kion

Apache Solr la piattaforma di ricerca enterprise LucaBonesini | Titulus User Group, Kion Bologna 4/dic/2013 Chi s hi son ono Luca Bonesini Infor orma matico Lanciatore di giavellotti Prog ogramma mmator ore Suonatore di chitarra

986 views • 39 slides
Building and Running a Solr-as-a-Service SHAI ERERA IBM Who Am I? Working at IBM Social

Building and Running a Solr-as-a-Service SHAI ERERA IBM Who Am I? Working at IBM Social

Building and Running a Solr-as-a-Service SHAI ERERA IBM Who Am I? Working at IBM Social Analytics & Technologies Lucene/Solr committer and PMC member http://shaierera.blogspot.com shaie@apache.org Background More and

637 views • 20 slides
Drupal and Apache Solr Search Go Together Like Pizza and Beer for Your Site Peter M. Wolanin,

Drupal and Apache Solr Search Go Together Like Pizza and Beer for Your Site Peter M. Wolanin,

February 2, 2013 Drupal and Apache Solr Search Go Together Like Pizza and Beer for Your Site Peter M. Wolanin, Ph.D. Momentum Specialist (principal engineer), Acquia, Inc. Drupal contributor drupal.org/user/49851 co-maintainer of the Drupal

550 views • 41 slides
Beyond full-text searches With Lucene and Solr Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam

Beyond full-text searches With Lucene and Solr Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam

Beyond full-text searches With Lucene and Solr Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam bdelacretaz@apache.org www.codeconsult.ch slides revision: 2007-05-03 Slides at http://wiki.apache.org/apachecon/Eu2007OnlineSessionSlides How

748 views • 32 slides
Progressive Decoupling React + Drupal + Apache Solr November 9, 2018 Prepared by Chris Russo,

Progressive Decoupling React + Drupal + Apache Solr November 9, 2018 Prepared by Chris Russo,

DRUPAL CAMP ATLANTA 2018 Progressive Decoupling React + Drupal + Apache Solr November 9, 2018 Prepared by Chris Russo, CEO Drupalcamp Atlanta 2018 WHO AM I? SESSION GOALS CASE STUDY: THE APP EOMEGA.ORG/SEARCH PREVIOUS SEARCH

972 views • 34 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak

site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak

Building search engine for Drupal site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak Kumar (drupal.org id deepak_123) 1. Drupal default search 2. Limitations of drupal default search 3.

700 views • 19 slides
Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer & PMC Member uschindler@apache.org

Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer & PMC Member uschindler@apache.org

Testing Lucene and Solr with various JVMs: Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer & PMC Member uschindler@apache.org http://www.thetaphi.de, http://blog.thetaphi.de @ThetaPh1 SD DataSolutions GmbH , Wtjenstr. 49, 28213

1.13k views • 71 slides
Lucene And Solr Document Classification Alessandro Benedetti, Software Engineer, Sease Ltd. Who

Lucene And Solr Document Classification Alessandro Benedetti, Software Engineer, Sease Ltd. Who

Lucene And Solr Document Classification Alessandro Benedetti, Software Engineer, Sease Ltd. Who I am Alessandro Benedetti Search Consultant R&D Software Engineer Master in Computer Science Apache Lucene/Solr

875 views • 31 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
Combining Solr and Elasticsearch to Improve Autosuggestion on Mobile Local Search Toan Vinh Luu,

Combining Solr and Elasticsearch to Improve Autosuggestion on Mobile Local Search Toan Vinh Luu,

Combining Solr and Elasticsearch to Improve Autosuggestion on Mobile Local Search Toan Vinh Luu, PhD Senior Search Engineer local.ch AG Apache: Big Data 2015 In this talk Requirements of an autosuggestion feature Autosuggestion

416 views • 30 slides
Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies,

Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies,

Kernel HTTPS/TCP/IP stack for HTTP DDoS mitigation Alexander Krizhanovsky Tempesta Technologies, Inc. ak@tempesta-tech.com Who am I? CEO & CTO at Tempesta Technologies (Seattle, WA) Developing Tempesta FW open source Linux Application

740 views • 48 slides
IT452 Advanced Web and Internet Systems Set 10: Web Servers (operation, configuration, and

IT452 Advanced Web and Internet Systems Set 10: Web Servers (operation, configuration, and

IT452 Advanced Web and Internet Systems Set 10: Web Servers (operation, configuration, and security) (Chapters 21) Key Questions Popular web servers? What does a web server do? How can I control it? URL re-writing /

374 views • 8 slides
Distributed Computation of with Apache Hadoop Tsz-Wo Sze Yahoo! Cloud Computing Apache

Distributed Computation of with Apache Hadoop Tsz-Wo Sze Yahoo! Cloud Computing Apache

Distributed Computation of with Apache Hadoop Tsz-Wo Sze Yahoo! Cloud Computing Apache Hadoop PMC Member Mapred2010 Dec 1 1 Agenda Introduction A New World Record How to Compute The n th Bits of ? Computing with

759 views • 52 slides
BinaryPig: Scalable Binary Data Extraction in Hadoop Created By: Jason Trost, Telvis Calhoun,

BinaryPig: Scalable Binary Data Extraction in Hadoop Created By: Jason Trost, Telvis Calhoun,

BinaryPig: Scalable Binary Data Extraction in Hadoop Created By: Jason Trost, Telvis Calhoun, Zach Hanif Bringing data science to cyber security, allowing you to sense, analyze and act in

804 views • 44 slides
Apache Spark Dr. Mihail Content derived from: Ankam, Venkat. Big Data Analytics. Packt

Apache Spark Dr. Mihail Content derived from: Ankam, Venkat. Big Data Analytics. Packt

Apache Spark Dr. Mihail Content derived from: Ankam, Venkat. Big Data Analytics. Packt Publishing, 2016. July 9, 2019 (Dr. Mihail ) Intro Big Data July 9, 2019 1 / 8 Apache Spark Why Hadoop and MapReduce have been around for 10 years and

443 views • 9 slides
New Ideas Track: Testing MapReduce-Style Programs Christoph Csallner, Leonidas Fegaras, Chengkai

New Ideas Track: Testing MapReduce-Style Programs Christoph Csallner, Leonidas Fegaras, Chengkai

New Ideas Track: Testing MapReduce-Style Programs Christoph Csallner, Leonidas Fegaras, Chengkai Li Computer Science and Engineering Department University of Texas at Arlington (UTA) European Software Engineering Conference / ACM SIGSOFT

727 views • 19 slides
CSC 369: Distributed Computing Alex Dekhtyar May 6 Day 14: Java Hadoop API CSC 369: Distributed

CSC 369: Distributed Computing Alex Dekhtyar May 6 Day 14: Java Hadoop API CSC 369: Distributed

CSC 369: Distributed Computing Alex Dekhtyar May 6 Day 14: Java Hadoop API CSC 369: Distributed Computing Alex Dekhtyar May 6 Day 14: Java Hadoop API HAPPY EQUATOR DAY! Housekeeping Lab 4 (mini-project): due Sunday night Lab 5: due

611 views • 31 slides
DONT OPTIMIZE MY QUERIES, ORGANIZE MY DATA! Julian Hyde (Apache Calcite) TELUQ, Montral,

DONT OPTIMIZE MY QUERIES, ORGANIZE MY DATA! Julian Hyde (Apache Calcite) TELUQ, Montral,

DONT OPTIMIZE MY QUERIES, ORGANIZE MY DATA! Julian Hyde (Apache Calcite) TELUQ, Montral, 2018/09/24 A simple query Data Query SELECT SUM (householdSize) 2010 U.S. census FROM CensusHouseholds; 100 million records

675 views • 46 slides

More recommend