Open maoning opened 6 months ago
@maoning Can I write a tsunami plugin for this?
@lanced00m please reminds me once you finish the plugin implementation for https://github.com/google/tsunami-security-scanner-plugins/issues/412 .
@maoning I already wrote the plugin for #412 can I work on this now?
@maoning
My first PR is merged could you assign this PR to me?
Here are the tasks for this requests before starting the implementation:
after a lot of research on Slurm architecture, I'm sharing what I know about this framework: Slurm has a REST API and it must contain an authentication method. slurmctld and slurmdbd can be exposed but these two only accept data with TCP connections, after reading TCP connections from Wireshark I'm sure that the slurmctld ( the command that we can run our bash scripts or jobs) first should connect to slurmdbd and get authentication key from a host and then use that to it connects to a different host which this makes the exploitation even harder :) I have other submissions, I will be happy if you let me work on those as it is not feasible for me to continue working on this plugin.
Thank you @lanced00m for the detailed investigation. Do you know if getting the authentication key indicates immediate compromise? If so, we can trigger the detection that way (without reaching to a different host for command execution).
OK, I will work on this, it can take time in terms of reading the wireshark logs :))
a secret key exists on each host that the slurm client CLI should run, so we should have this secret key which means we should have access to a slurmd cluster and it is not possible.
But... I found out that the REST API authentication can be ignored by Authentication proxies according to their official example and documents!
here is the reference: https://slurm.schedmd.com/rest.html#auth_proxy Also according to the last paragraph of the reference, there is a slurm ecosystem based on docker slurm. I can use something similar to it to proxy the authentication and disable the authentication with the help of the proxy. if you allow me I can start writing the plugin this week.
there is a way to disable the REST API authentication but I couldn't do it because the documentation doesn't mention this explicitly and a lot of bugs :)) happened when I changed the configuration. I should not spend my time on this part anymore because an authentication proxy can exist and we can have an easy-to-use setup to have an unauthenticated slurm REST API access.
I just made a PR for testbeds: https://github.com/google/security-testbeds/pull/59
@maoning, it has been over two weeks since I last wrote a plugin. Could you please accept this as soon as possible?
@lanced00m Thanks for the detailed vuln research, you can go ahead with the plugin implementation for exposed Slurm API.
https://github.com/projectdiscovery/nuclei-templates/blob/f08351ccb2366033c49f23e2c07550d0e464618f/http/misconfiguration/slurm-hpc-dashboard.yaml#L4
Please verify the exposed UI via callback or other actions rather than simple regex matches.
Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.