Xiaotong created SPARK-50240:
--------------------------------
Summary: Injection issues caused by uploading a fake jar package
Key: SPARK-50240
URL: https://issues.apache.org/jira/browse/SPARK-50240
Project: Spark
Issue Type: Improvement
Components: Spark Submit
Affects Versions: 3.5.3
Reporter: Xiaotong
We found an attack path, which can follow the customized Spark rules, upload
fake JAR package, and escalate privilege to cperform command injection attacks.
*Attack Path:*
# Obtain the common CAE user permission
# Fake JAR packages and XML based on customized Spark rules
# Compress the jar package and xml, and upload it to CAE for instantiation
# Run the fake instance
# The instance calls the JAR package to perform command injection
*Attack Implementation:*
During uplaod, only the name of the package is verified
{code:java}
// File localFile = new File(ValidFileName)
if(!StringUtils.endsWith(localFilePath, suffix:"com.xxx.xxx.xxx.jar") &&
!StringUtils.endsWith(localFilePath, suffix:"xxxxx"))
xxxx
return xxxx{code}
Forge JAR packages and validate XML
{code:java}
<?xml version="1.0" encoding="utf-8"?>
<rule>
<rule>
<rulename>TestApp</rulename>
<uri></uri>
<jarname>com.xxx.xxx.xxx.jar</jarname>
<sparkjobclassname>com.xxx.xxx.TestApp</sparkjobclassname>
... ...{code}
Injection at runtime
{code:java}
CAEcluster1:/home/sshuser # ll /tmp/target
-rw-r----- 1 streaming universe 0 Aug 6 10:32 /tmp/target
CAEcluster1:/home/sshuser #{code}
Escalate privileges to the root user
{code:java}
CAEcluster1:/etc/init.d # ll
... ...
-rwx------ 1 streaming universe 7044 Jul 11 12:09 rcstreaming.sh
... ...
CAEcluster1:/etc/init.d #{code}
{code:java}
CAEcluster1:/etc/init.d # cat /etc/sudoers /etc/sudoers.d/* | grep
rcstreaming.sh
streaming ALL=(root) NOPASSWD: /etc/init.d/rcstreaming.sh
CAEcluster1:/etc/init.d #
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
