Goal Reached Thanks to every supporter β€” we hit 100%!

Goal: 1000 CNY Β· Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-33891 PoC β€” Apache Spark shell command injection vulnerability via Spark UI

Source
https://github.com/AmoloHT/CVE-2022-33891
Associated Vulnerability
Title:Apache Spark shell command injection vulnerability via Spark UI (CVE-2022-33891)
Description:The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
Description
γ€ŒπŸ’₯」CVE-2022-33891 - Apache Spark Command Injection
Readme
<h1 align="center">γ€ŒπŸ’₯」CVE-2022-33891</h1>

<p align="center"><img height="200" src="https://upload.wikimedia.org/wikipedia/commons/thumb/f/f3/Apache_Spark_logo.svg/2560px-Apache_Spark_logo.svg.png"></p>

## Description

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

### Vulnerable Code

```
private def getUnixGroups(username: String): Set[String] = {
    val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
    // we need to get rid of the trailing "\n" from the result of command execution
    Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
}
```

* https://github.com/apache/spark/pull/36315/files#diff-96652ee6dcef30babdeff0aed66ced6839364ea4b22b7b5fdbedc82eb655eeb5L41

## Demo

![demo](demo.png)

## Usage

```
pip install requests
git clone https://github.com/AmoloHT/CVE-2022-33891
cd CVE-2022-33891
python3 CVE-2022-33891.py -u http://TARGET.TLD
```

## Reference

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33891
* https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc
File Snapshot

 [4.0K]  /data/pocs/9f55dc6cda711a4bdc404480964d49e461574f68
β”œβ”€β”€ [3.3K]  CVE-2022.33891.py
β”œβ”€β”€ [161K]  demo.png
└── [1.7K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers β€” if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online β€” thank you for the support. View subscription plans β†’