adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

commit module and documentation

Browse Source
This commit is contained in:
h00die-gr3y
2022-08-26 15:39:18 +00:00
parent 21c4e3ce3d
commit e8083c6fb1
1 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/apache_spark_rce_cve_2022_33891.md
+19 -7
View File
@@ -1,16 +1,28 @@
## Vulnerable Application
This module exploits a remote code execution vulnerability (CVE-2022-33891) of Apache Spark.
The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`.
With an authentication filter, this checks whether a user has access permissions to view or modify the application.
If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name.
A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it.
The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`.
With an authentication filter, this checks whether a user has access permissions to view or modify the application.
The permission check is coded using a bash command shell and the unix id command that allows a malicious shell command injection.
This will result in arbitrary shell command execution as the user `Spark` is currently running as.
Ironically the `spark.acls.enable` configuration setting is designed to improve the security access within the Spark application,
but unfortunately this configuration setting triggers the vulnerable code below.
```
private def getUnixGroups(username: String): Set[String] = {
val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
// we need to get rid of the trailing "\n" from the result of command execution
Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
Utils.executeAndGetOutput(idPath :: "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet
}
}
```
This will result in arbitrary shell command execution as the user `Spark`.
This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1
Installing a vulnerable version of Apache Spark is quite easy.
Installing a vulnerable version of Apache Spark to test this vulnerability is quite easy.
To set the server up use the following docker-compose.yml file and follow the steps below:
```
@@ -165,7 +177,7 @@ msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) >
```
## Limitations
The check option to determine if the application is vulnerable is based on a 403 response and the successful execution of a `sleep 10` command.
The check to determine if the application is vulnerable is based on a 403 response and the successful execution of a `sleep 10` command.
The exploit is a blind command injection, so there is nothing reflected back on the page during the command execution.
The sleep command execution in this case is therefore a pretty safe bet to check if the command is succesfully executed.
This test works fine a LAN based setup where the timing for execution will be around 10 seconds.