CVE-2020-13941: Abusing UNC Paths in Windows Environments in Apache Solr# CVE-2020-13941: Abusing UNC Paths in Windows Environments in Apache Solr
Multiple Solr endpoints have been found to accept absolute paths. In Windows systems these absolute path can be forced to make the OS connect to an attacker-controlled SMB server.
This behaviour may result in attacks such as:
- Capturing the NTLM hash and cracking it locally
- SMB Relay attack that can be used to authenticate to other SMB servers
**Note:** Although not in the scope of the CVE, post-authenticated this behavior can result in Remote Code Execution via Malicious Solr Config files:
- In Windows environments by serving the config remotely via SMB
- In Windows and Linux systems by writing the Solr Config in a location that is writable by anyone (e.g. C:\\Users\\Pubic\, /tmp/, etc.) and pointing the location of that core there via an absolute path
### Public Disclosures:
The vendor's disclosure and fix for this vulnerability can be found [here](https://solr.apache.org/news.html#cve-2020-13941-apache-solr-information-disclosure-vulnerability).
The MITRE disclosure for this vulnerability can be found [here](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13941).
### Proof Of Concept:
More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2020-13941/blob/main/Solr%20-%20CVE-2020-13941.pdf).
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view