Catching sparks Lab

modules/vulnerabilities/unix/http/apache_spark_rce/apache_spark_rce.pp

@@ -3,9 +3,9 @@
 # https://spark.apache.org/docs/3.1.2/
 # https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
 # https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_spark_rce_cve_2022_33891.rb
-contain apache_spark_rce::install
-contain apache_spark_rce::configure
-contain apache_spark_rce::service
+include apache_spark_rce::install
+include apache_spark_rce::configure
+include apache_spark_rce::service
 Class['apache_spark_rce::install']
 -> Class['apache_spark_rce::configure']
 -> Class['apache_spark_rce::service']

modules/vulnerabilities/unix/http/apache_spark_rce/files/spark-defaults.conf

@@ -1 +1,4 @@
-spark.acls.enable true
+spark.acls.enable true
+spark.master.rest.enabled true
+spark.master.rest.port 6066
+spark.master.rest.host 0.0.0.0

modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp

@@ -7,20 +7,36 @@
   $leaked_filenames = $secgen_parameters['leaked_filenames']
   $strings_to_leak = $secgen_parameters['strings_to_leak']
   $user = $secgen_parameters['unix_username'][0]
+  $pre_leaked_filenames = $secgen_parameters['pre_leaked_filenames']
+  $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak']
 
   Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
 
   # We set the acls flag in the config - This ensures its vulnerable
-  file { "/usr/local/spark/conf/${sparkconf}":
+  file { '/usr/local/spark/conf':
+    ensure => directory,
+  }
+  -> file { "/usr/local/spark/conf/${sparkconf}":
     ensure => file,
-    source => "puppet:///modules/apache_spark_rce/${sparkconf}"
+    source => "puppet:///modules/apache_spark_rce/${sparkconf}",
   }
 
   ::secgen_functions::leak_files { 'spark-flag-leak':
     storage_directory => "/home/${user}",
     leaked_filenames  => $leaked_filenames,
     strings_to_leak   => $strings_to_leak,
-    owner             => 'root',
+    owner             => 'spark',
+    mode              => '0750',
+    leaked_from       => 'apache_spark_rce',
+  }
+
+  # Not really preleaking, hard to change spark config to pre leak.
+  # TODO in future: Actually preleak it through http-title to show in nmap scan
+  ::secgen_functions::leak_files { 'spark-flag-pre-leak':
+    storage_directory => "/home/${user}",
+    leaked_filenames  => $pre_leaked_filenames,
+    strings_to_leak   => $strings_to_pre_leak,
+    owner             => 'spark',
     mode              => '0750',
     leaked_from       => 'apache_spark_rce',
   }

modules/vulnerabilities/unix/http/apache_spark_rce/manifests/install.pp

@@ -8,7 +8,36 @@
 
   # Install required packages
   # NOTE: once Debian updates insert scala 2.12+ into statement
-  ensure_packages(['openjdk-11-jdk'], { ensure => 'installed'})
+
+  exec { 'download-jdk11':
+    cwd     => '/tmp',
+    command => 'wget -O jdk11.tar.gz https://download.java.net/openjdk/jdk11.0.0.2/ri/openjdk-11.0.0.2_linux-x64.tar.gz',
+    creates => '/tmp/jdk11.tar.gz',
+    timeout => 300,
+  }
+  -> exec { 'extract-jdk11':
+    cwd     => '/tmp',
+    command => 'tar -xzf jdk11.tar.gz',
+    creates => '/tmp/jdk-11.0.0.2',
+  }
+  -> file { '/usr/lib/jvm':
+    ensure => directory,
+  }
+  -> exec { 'install-jdk11':
+    cwd     => '/tmp',
+    command => 'mv jdk-11.0.0.2 /usr/lib/jvm/java-11-openjdk',
+    creates => '/usr/lib/jvm/java-11-openjdk',
+  }
+
+  # Register Java 11 as alternative and set as default for spark
+  exec { 'register-java11-alternative':
+    command => '/usr/bin/update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-11-openjdk/bin/java 1111',
+    require => Exec['install-jdk11'],
+  }
+  -> exec { 'set-java11-default':
+    command => '/usr/bin/update-alternatives --set java /usr/lib/jvm/java-11-openjdk/bin/java',
+    require => Exec['register-java11-alternative'],
+  }
 
   $scaladeb = 'scala-2.12.10.deb'
   $releasename = 'spark-3.1.2-bin-hadoop3.2.tgz'
@@ -43,7 +72,7 @@
 
   # We run older versions of debian, for now source from local deb file
   package { 'scala':
-    ensure   => latest,
+    ensure   => present,
     provider => apt,
     source   => "/tmp/${scaladeb}",
   }

modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp

@@ -11,13 +11,24 @@
   exec { 'set-port':
     command => "sed -i 's/8080/${port}/' /usr/local/spark/sbin/start-master.sh",
   }
-  -> file { '/etc/systemd/system/spark.service':
-    content => template('apache_spark_rce/spark.service.erb'),
+  -> file { '/etc/systemd/system/spark-master.service':
+    content => template('apache_spark_rce/spark-master.service.erb'),
     owner   => 'root',
     mode    => '0777',
   }
-  -> service { 'spark':
+  -> service { 'spark-master':
     ensure => running,
     enable => true,
   }
+  -> file { '/etc/systemd/system/spark-worker.service':
+    content => template('apache_spark_rce/spark-worker.service.erb'),
+    owner   => 'root',
+    mode    => '0777',
+  }
+  -> service { 'spark-worker':
+    ensure => running,
+    enable => true,
+  }
+
+
 }

modules/vulnerabilities/unix/http/apache_spark_rce/secgen_metadata.xml

@@ -28,6 +28,8 @@
   <read_fact>strings_to_leak</read_fact>
   <read_fact>leaked_filenames</read_fact>
   <read_fact>unix_username</read_fact>
+  <read_fact>strings_to_pre_leak</read_fact>
+  <read_fact>pre_leaked_filenames</read_fact>
 
   <default_input into="port">
     <generator module_path=".*/random_unregistered_port" />
@@ -42,6 +44,14 @@
     <generator type="filename_generator" />
   </default_input>
 
+  <default_input into="strings_to_pre_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <default_input into="pre_leaked_filenames">
+    <generator type="filename_generator" />
+  </default_input>
+
   <default_input into="unix_username">
     <value>spark</value>
   </default_input>

modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb → modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-master.service.erb

@@ -1,13 +1,15 @@
 [Unit]
-Description=Apache Spark Shell
+Description=Apache Spark Master
 After=network.target
 
 [Service]
 Type=forking
 User=<%= @user %>
 Environment="PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/spark/sbin"
+Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk"
 WorkingDirectory=/usr/local/spark/bin/
-ExecStart=/usr/local/spark/sbin/start-master.sh
+ExecStart=/usr/local/spark/sbin/start-master.sh --host 0.0.0.0 --properties-file /usr/local/spark/conf/spark-defaults.conf
+ExecStop=/usr/local/spark/sbin/stop-master.sh
 Restart=on-abort
 RestartSec=1
 

modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb

@@ -0,0 +1,17 @@
+[Unit]
+Description=Apache Spark Worker
+After=network.target spark-master.service
+
+[Service]
+Type=forking
+User=<%= @user %>
+Environment="PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/spark/sbin"
+Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk"
+WorkingDirectory=/usr/local/spark/bin/
+ExecStart=/bin/bash -c '/usr/local/spark/sbin/start-worker.sh spark://$(hostname -I | awk "{print \$1}"):7077'
+ExecStop=/usr/local/spark/sbin/stop-worker.sh
+Restart=on-abort
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target

scenarios/ctf/catching_sparks.xml

@@ -86,7 +86,7 @@
 
     <system>
         <system_name>server</system_name>
-        <base distro="Debian 10" type="desktop" name="KDE" />
+        <base distro="Debian 12" type="desktop" name="KDE" />
 
         <vulnerability module_path=".*/apache_spark_rce">
             <input into="strings_to_leak">
@@ -101,7 +101,7 @@
             </input>
         </vulnerability>
 
-        <vulnerability module_path="*./chkrootkit"></vulnerability>
+        <vulnerability module_path=".*/chkrootkit"></vulnerability>
 
         <network type="private_network">
             <input into="IP_address">