search

Unauthorized Access Vulnerability in Hadoop Yarn RPC

hashtag
Vulnerability Overview

Hadoop Yarn, as one of the core components of Hadoop, is responsible for allocating resources to various clusters and running various applications, and scheduling the execution of tasks on different cluster nodes. Hadoop Yarn opens its RPC service to the public by default, and attackers can use the RPC service to execute arbitrary commands and control the server.

In addition, since the access control mechanism of Hadoop Yarn RPC service is different from that of REST API, even if there is authorization authentication in REST API, the port where RPC service is located can still be accessed without authorization.

hashtag
Environment Setup

https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn

You need to modify the docker-compose.yml to add the 8032 port mapping.

image-20220726135831239

Make a curl request to port 8032.

hashtag
Vulnerability Exploitation

EXP: https://github.com/cckuailong/YarnRpcRCE

image-20220726143734307

View logs

image-20220726144048169

Reverse shell

Successful connection

hashtag
Vulnerability Fix

  1. The official Apache Hadoop recommends that users enable Kerberos authentication.

  2. Set the port where Hadoop RPC service is located to be open only to trusted addresses.

  3. It is recommended to upgrade and enable the authentication function of Kerberos to prevent unauthorized access.

PreviousUnauthorized Access Vulnerability in Hadoop YARN ResourcemanagerNextUnauthorized Access Vulnerability in InfluxDB API

Last updated