/CVE-2022-33891

Apache Spark Command Injection PoC Exploit for CVE-2022-33891

Primary LanguagePythonMIT LicenseMIT

CVE-2022-33891 PoC

PoC for CVE-2022-33891, with ability to set custom payloads.

Not vulnerable by default; vulnerable when:

./spark-submit --conf spark.acls.enable=TRUE ____

Intended Use

Usage of this script is limited to personnel who are authorised to run the payload on the target hosts for vulnerability patching purposes only. Prior to running this script, ensure you are authorised.

Usage

git clone https://github.com/west-wind/CVE-2022-33891.git
python cve-2022-33891.py

Getting Started

This POC expects to receive all targets in a CSV file titled --> allTargets.csv with one column titled --> targets, containing all the targets that need to be scanned ex., http://12.23.45.67:9099 or http://spark.domain.com. The / will be added by the script.

Enter the payload to be executed on the target in the POC.conf file. Your host in --> yourHostHere http://my_domain_here.com Your payload in --> yourPayloadHere payload.sh

Made for research purposes.

Identify

Shodan

http.favicon.hash:856048515

Detection Splunk Query

index=web sourcetype IN (nginx, waf_logs) url=*/?doAs*
| eval decodedIndicators=urldecode(url)
| table _time src_ip dest status request url decodedIndicators

Patching & References

NIST NVD

Apache Advisory

W01fh4cker