Solr Dataimport Vulnerability Becomes a New Attack Method for Mining Organizations

Summary

Recently, Alibaba Cloud security team has detected that the mining organization using the Solr dataimport RCE vulnerability(CVE-2019–0193) as a new attack method and implant a mining program into the target hosts. The malicious script used by the organization is basically the same as that used in the previously reported article[1]. Therefore, this attack can be considered as the same organization.

Besides, it can be reasonably assumed that this organization has been active in finding new ways to attack. Alibaba Cloud security team has been monitoring for the first time and continues to pay attention to the behavior of the organization.

Alibaba Cloud security team recommends that users check if their hosts are affected in time and focus on related articles.

Vulnerability Details

Apache Solr is the popular, blazing fast open source enterprise search platform from the Apache Lucene project. Its major features include powerful full-text search, hit highlighting, faceted search, dynamic clustering, database integration, rich document handling, and geospatial search.

Remote Code Execution via DataImportHandler (CVE-2019–0193) is a vulnerability warning disclosed by apache Solr on 2019.8.1. This vulnerability occurs in Solr’s DataImportHandler (DIH) module, which provides the ability to retrieve data from a database or other data source. Since Solr admin does not require authentication by default and DIH supports script operations, remote command execution can be implemented by constructing a malicious HTTP request.

As shown below, select the dataimport tab in Solr admin. Since the dataimport configuration supports scripts, we can construct malicious scripts in the configuration file and execute the curl xxx.xxx.xxx.xx command.

Image for post
Image for post

As shown in the figure below, our server received the HTTP request sent by Solr and that RCE was successful.

Image for post
Image for post

Exploit Analysis

Alibaba Cloud security team recently detected attackers trying to exploit this vulnerability to intrude hosts on Alibaba Cloud. It first sends a request like http://xx.xx.xx.xx:8983/solr/admin/cores?action=STATUS&wt=json to get all names of the core in Solr.

Image for post
Image for post

The attackers then traverse these core names and attempt to send the following payload to corename/dataimport to request a malicious script from https://pastebin.com/raw/jjFzjCwx.

Followed by the malicious script at https://pastebin.com/raw/jjFzjCwx, we found that it is only one different from the previous analysis of the watchdog mining program and is non-critical content, the latter part can refer to the previous article.

Image for post
Image for post

In addition, there are suspected ping commands to send malicious requests to collect vulnerable hosts:

Vulnerability Influence

At present, the number of devices using Solr components in the whole network is about 19k, and Alibaba Cloud security team recommends that users check their machine status in time to prevent further expansion.

Image for post
Image for post

IOC

  1. https://pastebin.com/raw/jjFzjCwx
  2. https://pastebin.com/raw/3FDDiNwW
  3. https://pastebin.com/raw/KJcZ9HLL

Vulnerable Versions

  1. Before Solr 8.2.0 (not included)
  2. DataImportHandler module is enabled
  3. Solr authentication is not enabled or uses weak passwords

Security Recommendations

  1. Upgrade Solr to 8.2.0 or later (After the 8.2.0 version, the dataconfig parameter support is not enabled by default.)
  2. Empty solrconfig.xml->requestHandler->config tag content
  3. Whitelist filtering for DIH related requests

Reference Articles

  1. Warning|Watchbog mining worm upgrade, using multiple vulnerabilities such as Bluekeep RDP to gain momentum
  2. CVE-2019–0193 Remote Code Execution via DataImportHandler

Original Source

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store