-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Apache Spark RCE - CVE-2022-33891 #16944
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Co-authored-by: bcoles <bcoles@gmail.com>
Co-authored-by: bcoles <bcoles@gmail.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Hey @h00die-gr3y, thank you for the module! Code and docs look good to me. I added Test output
|
Love to see it 💖 well done @h00die-gr3y |
Release NotesThis exploits an unauthenticated command injection vulnerability in Apache Spark. The |
Thanks Guys for the review and code suggestions !!! Up to the next one ;-) |
Introduction
This module exploits a remote code execution vulnerability (CVE-2022-33891) of Apache Spark.
The Apache Spark UI offers the possibility to enable ACLs via the configuration option
spark.acls.enable
.With an authentication filter, this checks whether a user has access permissions to view or modify the application.
The permission check is coded using a
bash
command shell and the unixid
command that allows a malicious shell command injection.Ironically the
spark.acls.enable
configuration setting is designed to improve the security access within the Spark application, but unfortunately this configuration setting triggers the vulnerable code below.This will result in arbitrary shell command execution as the user
Spark
.This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/linux/http/apache_spark_rce_cve_2022_33891
set RHOSTS <TARGET HOSTS>
set LHOST <Address of Attacking Machine>
exploit
spark
user.Installing a vulnerable version of Apache Spark to test this vulnerability is quite easy.
To set the server up use the following docker-compose.yml file and follow the steps below:
docker-compose up
. Let the container spin up.sudo docker exec -it spark_spark_1 /bin/bash
echo "spark.acls.enable true" >> conf/spark-defaults.conf
docker-compose up
Once the server and application is up, it's vulnerable and you can access it on port 8080 for testing...
Limitations
The check to determine if the application is vulnerable is based on a 403 response and the successful execution of a randomized
sleep
command.The exploit is a blind command injection, so there is nothing reflected back on the page during the command execution.
Timing the sleep command execution is therefore a pretty safe bet to check if the command injection is successful.
Credits goes to HuskyHacks that used this test in his POC on GitHub.