How to find vulnerable IPs by CVE ID: CVE-2019-0192
In this article, we will use Spyse to find vulnerable IPs affected by CVE-2019-0192, according to the methodology we’ve described in the first post of this series.
The second write-up is on this link.
Step 1: Find affected software versions
Let’s look at the NVD CVE description:
In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr’s unsafe deserialization to trigger remote code execution on the Solr side.
Apache Solr is an open-source search engine platform used by many software giants such as AT&T, eBay, and Netflix.
So we are looking for Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5.
Here’s the full list of vulnerable software versions found from product release note:
Now we have to reproduce the vulnerable software environment to identify its unique characteristics.
Step 2: Reproduce vulnerable environment
The simplest way to reproduce the Solr environment is to run a docker container with the appropriate version tag using the command provided on Docker Hub Solr Page:
docker run \ --detach \ --name="solr" \ --publish 8983:8983 \ solr:5.5.5
In a few minutes, we get an up-and-running system on http://localhost:8983:
The web-server does not have any security mechanisms enabled by default, so the admin panel is exposed to the public.
Step 3: Identify software characteristics
The first thing that we should pay attention to is the docker hub documentation. In the docs, the command that starts the container publishes port 8983. The port number is the first app characteristic, however, it is pretty common for different HTTP services, that’s why we should find something else.
The second app characteristic is the HTTP redirect response to the /solr/ page received from the server when we visit the home page.
For other characteristics, we should try to examine the HTML source code. In the page title, we see a substring “Solr Admin“ that can be a software identifier. Next, we see that the Apache Solr version “5.5.5“ is included in the path of the stylesheets.
Now we’ve got enough information to try to find vulnerable IPs.
Step 4: Ask the right question
In this step, we are going to use Spyse’s advanced search feature to find domains running on Apache Solr affected by the CVE-2019-0192.
Let’s try to find domains by 6.5.0 Apache Solr version (the latest affected) and site title. We will set the following search filters:
- Domains → Site info → Title → contains → Solr
- Domains → Site info → Title → contains → Apache
- Domains → Site info → Styles → contains → 6.5.0
Here’s how a search result may look like:
Last step: Clean-up
In order to keep your computer clean, we will stop and remove the Apache Solr docker container and the docker image:
docker stop solr \ && docker rm solr \ && docker rmi solr:5.5.5
To improve your Apache Solr service security as a conscious security officer or system administrator you should always add security controls to avoid exposing your software to the public. Examples of such controls could be HTTP authorization or VPN usage.
From the perspective of a red-teamer, you should be ready for such security measures and know that finding exposed hosts such as these, could be relatively rare luck.