From d3a1d21f733e91871790c9f5d78bc4d65a408789 Mon Sep 17 00:00:00 2001 From: alixthegreat Date: Tue, 16 Dec 2025 18:51:30 +0000 Subject: [PATCH 1/4] Update Apache Spark configuration and installation process Updated service.pp to manage Spark master and worker processes --- .../http/apache_spark_rce/apache_spark_rce.pp | 6 ++-- .../files/spark-defaults.conf | 5 ++- .../apache_spark_rce/manifests/configure.pp | 7 ++-- .../apache_spark_rce/manifests/install.pp | 33 +++++++++++++++++-- .../apache_spark_rce/manifests/service.pp | 17 ++++++++-- .../templates/spark.service.erb | 1 + scenarios/ctf/catching_sparks.xml | 4 +-- 7 files changed, 60 insertions(+), 13 deletions(-) diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/apache_spark_rce.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/apache_spark_rce.pp index 1b25529f0..a691d6b67 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/apache_spark_rce.pp +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/apache_spark_rce.pp @@ -3,9 +3,9 @@ # https://spark.apache.org/docs/3.1.2/ # https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html # https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_spark_rce_cve_2022_33891.rb -contain apache_spark_rce::install -contain apache_spark_rce::configure -contain apache_spark_rce::service +include apache_spark_rce::install +include apache_spark_rce::configure +include apache_spark_rce::service Class['apache_spark_rce::install'] -> Class['apache_spark_rce::configure'] -> Class['apache_spark_rce::service'] diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/files/spark-defaults.conf b/modules/vulnerabilities/unix/http/apache_spark_rce/files/spark-defaults.conf index 553d716a3..c29c3ad2c 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/files/spark-defaults.conf +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/files/spark-defaults.conf @@ -1 +1,4 @@ -spark.acls.enable true \ No newline at end of file +spark.acls.enable true +spark.master.rest.enabled true +spark.master.rest.port 6066 +spark.master.rest.host 0.0.0.0 \ No newline at end of file diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp index 9db179c29..05d1a5d7a 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp @@ -11,9 +11,12 @@ Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] } # We set the acls flag in the config - This ensures its vulnerable - file { "/usr/local/spark/conf/${sparkconf}": + file { '/usr/local/spark/conf': + ensure => directory, + } + -> file { "/usr/local/spark/conf/${sparkconf}": ensure => file, - source => "puppet:///modules/apache_spark_rce/${sparkconf}" + source => "puppet:///modules/apache_spark_rce/${sparkconf}", } ::secgen_functions::leak_files { 'spark-flag-leak': diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/install.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/install.pp index 09c5ee357..da426eb74 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/install.pp +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/install.pp @@ -8,7 +8,36 @@ # Install required packages # NOTE: once Debian updates insert scala 2.12+ into statement - ensure_packages(['openjdk-11-jdk'], { ensure => 'installed'}) + + exec { 'download-jdk11': + cwd => '/tmp', + command => 'wget -O jdk11.tar.gz https://download.java.net/openjdk/jdk11.0.0.2/ri/openjdk-11.0.0.2_linux-x64.tar.gz', + creates => '/tmp/jdk11.tar.gz', + timeout => 300, + } + -> exec { 'extract-jdk11': + cwd => '/tmp', + command => 'tar -xzf jdk11.tar.gz', + creates => '/tmp/jdk-11.0.0.2', + } + -> file { '/usr/lib/jvm': + ensure => directory, + } + -> exec { 'install-jdk11': + cwd => '/tmp', + command => 'mv jdk-11.0.0.2 /usr/lib/jvm/java-11-openjdk', + creates => '/usr/lib/jvm/java-11-openjdk', + } + + # Register Java 11 as alternative and set as default for spark + exec { 'register-java11-alternative': + command => '/usr/bin/update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-11-openjdk/bin/java 1111', + require => Exec['install-jdk11'], + } + -> exec { 'set-java11-default': + command => '/usr/bin/update-alternatives --set java /usr/lib/jvm/java-11-openjdk/bin/java', + require => Exec['register-java11-alternative'], + } $scaladeb = 'scala-2.12.10.deb' $releasename = 'spark-3.1.2-bin-hadoop3.2.tgz' @@ -43,7 +72,7 @@ # We run older versions of debian, for now source from local deb file package { 'scala': - ensure => latest, + ensure => present, provider => apt, source => "/tmp/${scaladeb}", } diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp index f8bd204a5..c699eac41 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp @@ -5,6 +5,7 @@ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file) $port = $secgen_parameters['port'][0] $user = $secgen_parameters['unix_username'][0] + $master_url = "spark://${::ipaddress}:7077" Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] } @@ -16,8 +17,18 @@ owner => 'root', mode => '0777', } - -> service { 'spark': - ensure => running, - enable => true, + -> exec { 'stop-spark-master': + command => "/usr/local/spark/sbin/stop-master.sh", + user => 'spark', + onlyif => '/bin/ps aux | /bin/grep -v grep | /bin/grep "org.apache.spark.deploy.master.Master"', + } + -> exec { 'start-spark-master': + command => "/usr/local/spark/sbin/start-master.sh --host 0.0.0.0 --properties-file /usr/local/spark/conf/spark-defaults.conf", + user => 'spark', + } + -> exec { 'start-spark-worker': + command => "/usr/local/spark/sbin/start-worker.sh ${master_url}", + user => 'spark', + require => Exec['start-spark-master'], } } diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb index dc02ddd2d..3a9ad3ab7 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb @@ -6,6 +6,7 @@ After=network.target Type=forking User=<%= @user %> Environment="PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/spark/sbin" +Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk" WorkingDirectory=/usr/local/spark/bin/ ExecStart=/usr/local/spark/sbin/start-master.sh Restart=on-abort diff --git a/scenarios/ctf/catching_sparks.xml b/scenarios/ctf/catching_sparks.xml index 472c7d5cb..7b85a2e22 100644 --- a/scenarios/ctf/catching_sparks.xml +++ b/scenarios/ctf/catching_sparks.xml @@ -86,7 +86,7 @@ server - + @@ -101,7 +101,7 @@ - + From 657352a662c53994818a74adf2863cddc3afe9a5 Mon Sep 17 00:00:00 2001 From: alixthegreat Date: Thu, 18 Dec 2025 14:10:45 +0000 Subject: [PATCH 2/4] fixed preleak, changed to home directory --- .../http/apache_spark_rce/manifests/configure.pp | 15 ++++++++++++++- .../http/apache_spark_rce/secgen_metadata.xml | 10 ++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp index 05d1a5d7a..dedcd8066 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp @@ -7,6 +7,8 @@ $leaked_filenames = $secgen_parameters['leaked_filenames'] $strings_to_leak = $secgen_parameters['strings_to_leak'] $user = $secgen_parameters['unix_username'][0] + $pre_leaked_filenames = $secgen_parameters['pre_leaked_filenames'] + $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak'] Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] } @@ -23,7 +25,18 @@ storage_directory => "/home/${user}", leaked_filenames => $leaked_filenames, strings_to_leak => $strings_to_leak, - owner => 'root', + owner => 'spark', + mode => '0750', + leaked_from => 'apache_spark_rce', + } + + # Not really preleaking, hard to change spark config to pre leak. + # TODO in future: Actually preleak it through http-title to show in nmap scan + ::secgen_functions::leak_files { 'spark-flag-pre-leak': + storage_directory => "/home/${user}", + leaked_filenames => $pre_leaked_filenames, + strings_to_leak => $strings_to_pre_leak, + owner => 'spark', mode => '0750', leaked_from => 'apache_spark_rce', } diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/secgen_metadata.xml b/modules/vulnerabilities/unix/http/apache_spark_rce/secgen_metadata.xml index 656bd9376..9a014bdff 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/secgen_metadata.xml +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/secgen_metadata.xml @@ -28,6 +28,8 @@ strings_to_leak leaked_filenames unix_username + strings_to_pre_leak + pre_leaked_filenames @@ -42,6 +44,14 @@ + + + + + + + + spark From d84813c4ba66b946d0e0044d46353eca80ab543a Mon Sep 17 00:00:00 2001 From: alixthegreat Date: Thu, 18 Dec 2025 15:09:27 +0000 Subject: [PATCH 3/4] changed to services to ensure it runs when vms restart --- .../apache_spark_rce/manifests/service.pp | 27 ++++++++++--------- .../templates/spark-master.service.erb | 17 ++++++++++++ ...k.service.erb => spark-worker.service.erb} | 7 ++--- 3 files changed, 35 insertions(+), 16 deletions(-) create mode 100644 modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-master.service.erb rename modules/vulnerabilities/unix/http/apache_spark_rce/templates/{spark.service.erb => spark-worker.service.erb} (62%) diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp index c699eac41..c1d037c0d 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp @@ -12,23 +12,24 @@ exec { 'set-port': command => "sed -i 's/8080/${port}/' /usr/local/spark/sbin/start-master.sh", } - -> file { '/etc/systemd/system/spark.service': - content => template('apache_spark_rce/spark.service.erb'), + -> file { '/etc/systemd/system/spark-master.service': + content => template('apache_spark_rce/spark-master.service.erb'), owner => 'root', mode => '0777', } - -> exec { 'stop-spark-master': - command => "/usr/local/spark/sbin/stop-master.sh", - user => 'spark', - onlyif => '/bin/ps aux | /bin/grep -v grep | /bin/grep "org.apache.spark.deploy.master.Master"', + -> service { 'spark-master': + ensure => running, + enable => true, } - -> exec { 'start-spark-master': - command => "/usr/local/spark/sbin/start-master.sh --host 0.0.0.0 --properties-file /usr/local/spark/conf/spark-defaults.conf", - user => 'spark', + -> file { '/etc/systemd/system/spark-worker.service': + content => template('apache_spark_rce/spark-worker.service.erb'), + owner => 'root', + mode => '0777', } - -> exec { 'start-spark-worker': - command => "/usr/local/spark/sbin/start-worker.sh ${master_url}", - user => 'spark', - require => Exec['start-spark-master'], + -> service { 'spark-worker': + ensure => running, + enable => true, } + + } diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-master.service.erb b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-master.service.erb new file mode 100644 index 000000000..d178cf6da --- /dev/null +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-master.service.erb @@ -0,0 +1,17 @@ +[Unit] +Description=Apache Spark Master +After=network.target + +[Service] +Type=forking +User=<%= @user %> +Environment="PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/spark/sbin" +Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk" +WorkingDirectory=/usr/local/spark/bin/ +ExecStart=/usr/local/spark/sbin/start-master.sh --host 0.0.0.0 --properties-file /usr/local/spark/conf/spark-defaults.conf +ExecStop=/usr/local/spark/sbin/stop-master.sh +Restart=on-abort +RestartSec=1 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb similarity index 62% rename from modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb rename to modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb index 3a9ad3ab7..798706c3f 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb @@ -1,6 +1,6 @@ [Unit] -Description=Apache Spark Shell -After=network.target +Description=Apache Spark Worker +After=network.target spark-master.service [Service] Type=forking @@ -8,7 +8,8 @@ User=<%= @user %> Environment="PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/spark/sbin" Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk" WorkingDirectory=/usr/local/spark/bin/ -ExecStart=/usr/local/spark/sbin/start-master.sh +ExecStart=/usr/local/spark/sbin/start-worker.sh <%= @master_url %> +ExecStop=/usr/local/spark/sbin/stop-worker.sh Restart=on-abort RestartSec=1 From e22536c32b7fa9b3fde53f4a61321a3488b0e89f Mon Sep 17 00:00:00 2001 From: alixthegreat Date: Thu, 18 Dec 2025 16:22:38 +0000 Subject: [PATCH 4/4] update ExecStart url in spark-worker to stop it from using the IP during build --- .../unix/http/apache_spark_rce/manifests/service.pp | 1 - .../http/apache_spark_rce/templates/spark-worker.service.erb | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp index c1d037c0d..fc4c9fc22 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp @@ -5,7 +5,6 @@ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file) $port = $secgen_parameters['port'][0] $user = $secgen_parameters['unix_username'][0] - $master_url = "spark://${::ipaddress}:7077" Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] } diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb index 798706c3f..5caffc09c 100644 --- a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb +++ b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb @@ -8,7 +8,7 @@ User=<%= @user %> Environment="PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/spark/sbin" Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk" WorkingDirectory=/usr/local/spark/bin/ -ExecStart=/usr/local/spark/sbin/start-worker.sh <%= @master_url %> +ExecStart=/bin/bash -c '/usr/local/spark/sbin/start-worker.sh spark://$(hostname -I | awk "{print \$1}"):7077' ExecStop=/usr/local/spark/sbin/stop-worker.sh Restart=on-abort RestartSec=1