Morioh
Login
Chandler Erdman

Chandler Erdman

3 years ago

This is the story of how only two insecure configurations allowed us to take down an entire cloud hosted company. It was a gray box pentest for a relatively big client, in which we were tasked with assessing the security of about 5 development endpoints, accessible only using a client certificate. After setting up our environment, we started scanning the endpoints, and Nessus quickly returned an exploitable vulnerability:

Image for post

Hadoop exposes this API to allow management of it’s resources. Authentication should be in place to prevent anonymous command execution. A quick searchploit search returned an available RCE exploit.

Image for post

The description shows something like this:

This module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.

Yes, those censored names are all the sysadmins.

Whenever you’re working on a Hadoop environment, two excellent resources to get started are (both from wavestone):

In this case, we already had control of the entire cluster with our YARN ResourceManager API. To quote a paragraph from the Hadoop attack library:

Due to the distributed nature of a MapReduce job, it is not possible to specify on which node you want to execute your payload. There is no mechanism ensuring that the payload you will launch on two successive jobs will execute on the same cluster member.

Basically, every command that you send to the API will be mapped to a random node.

This was actually beneficial for us because every time we ran the exploit, we landed on a different instance with (possibly) new information. Of course, manually trying for every possibility is not a smart approach, so lets do some enumeration on a random datanode.

You can get a lot of information from the cluster using the hdfs binary. A useful report can be queried with

hdfs dfsadmin -report

Image for post

Good thing we didn’t try to manually get to all instances. There were 50 of them! We also see from the report that this cluster has a lot of information (about 70TB used of 90TB).

#pentesting #red-team #infosec #security #devops

Combining Hadoop and MCollective for total network compromise

medium.com

Combining Hadoop and MCollective for total network compromise

This is the story of how only two insecure configurations allowed us to take down an entire cloud hosted company. It was a gray box pentest for a relatively big client, in which we were tasked with assessing the security of about 5 development endpoints, accessible only using a client certificate.

1.65 GEEK