LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@shimizukawasaki(清水 川崎)

[漏洞预警]CVE-2019-12409/Apache Solr由于错误配置JMX RMI导致远程代码执行

Posted at

漏洞描述

近日安全研究人员JanHøydahl披露了Apache Solr的8.1.1和8.2.0发行版中的默认配置文件solr.in.sh,在其配置文件中ENABLE_REMOTE_JMX_OPTS字段默认配置不安全.如果使用受影响版本中的默认配置,那么将启用JMX监视服务并将对公网监听一个18983的RMI端口,且无需进行任何身份验证,配合JMX RMI将会导致远程代码执行.

CVE编号

CVE- 2019-12409

漏洞威胁等级

高危

影响范围

8.1.1和8.2.0

简单分析

我们可以使用自带的Jconsole访问JMX服务

image.png

而JMX RMI远程代码成因主要是由于远程客户端可以创建javax.management.loading.MLet MBean,并使用它通过任意URL创建新的MBean,滥用MBean即可造成远程代码执行.

攻击过程一般如下

  • 1.启动托管MLet和含有恶意MBean的JAR文件的Web服务器
  • 2.使用JMX在目标服务器上创建MBeanjavax.management.loading.MLet的实例
  • 3.调用MBean实例的getMBeansFromURL方法,将Web服务器URL作为参数进行传递。JMX服务将连接到http服务器并解析MLet文件
  • 4.JMX服务下载并归档MLet文件中引用的JAR文件,使恶意MBean可通过JMX获取
  • 5.攻击者最终调用来自恶意MBean的方法

这个攻击思路来源于n0tr00t参加阿里的一次CTF大赛.我们除了可以使用msf攻击JMX RMI,还可以使用mjet

image.png

修复建议

修改bin/solr.in.sh配置文件中ENABLE_REMOTE_JMX_OPTSfalse
image.png

时间轴

[0] 2019/11/18 NVD发布该漏洞
[1] 2019/11/19 亚信安全网络攻防实验室研究并复现该漏洞发布漏洞预警

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12409
https://nosec.org/home/detail/2544.html
https://www.n0tr00t.com/2015/04/17/JMX-RMI-Exploit-Demo.html
https://github.com/mogwailabs/mjet

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?