IN PROGRESS: Hadoop Yarn RCE

modules/vulnerabilities/unix/http/hadoop_yarn_rce/hadoop_yarn_rce.pp

@@ -0,0 +1,6 @@
+# begining of puppet code execution
+
+contain hadoop_yarn_rce::install
+contain hadoop_yarn_rce::hadoop
+Class['hadoop_yarn_rce::install']->
+Class['hadoop_yarn_rce::hadoop'] 

modules/vulnerabilities/unix/http/hadoop_yarn_rce/manifests/account.pp

@@ -0,0 +1,63 @@
+define hadoop_yarn_rce::account ($username, $password, $strings_to_leak, $leaked_filenames, $ssh_key_pair ) {
+	$ssh_private_key = $ssh_key_pair['private']
+	$ssh_public_key = $ssh_key_pair['public']
+	$public_key_string = "$ssh_public_key $username@domain"
+
+	#TODO cleanup
+	::accounts::user { $username:
+		shell      => '/bin/bash',
+		password   => pw_hash($password, 'SHA-512', 'mysalt'),
+		managehome => true,
+		home_mode  => '0755',
+		sshkeys    => [ $public_key_string ]
+	  }
+
+	  # Leak strings in a text file in the users home directory
+	  # ::secgen_functions::leak_files { "$username-file-leak":
+		# storage_directory => "/home/$username/",
+		# leaked_filenames  => $leaked_filenames,
+		# strings_to_leak   => $strings_to_leak,
+		# owner             => $username,
+		# group             => $username,
+		# mode              => '0600',
+		# leaked_from       => "accounts_$username",
+	  # }
+
+	  # Move public key to box
+
+	 file { "/home/${username}/.ssh/id_rsa.pub":
+		owner   => $username,
+		group   => $username,
+		mode    => '0600',
+		ensure  => file,
+		content => $public_key_string,
+		notify  => File["/home/$username/.ssh/id_rsa"]
+	  }
+	  # Move private key to box
+	  file { "/home/$username/.ssh/id_rsa":
+		owner   => $username,
+		group   => $username,
+		mode    => '0600',
+		ensure  => file,
+		content => $ssh_private_key,
+		notify  => Exec['pack_to_tar']
+	  }
+
+	  # Pack the ssh keys to .tar.gz
+	  exec { 'pack_to_tar':
+		cwd     => "/home/$username/.ssh/",
+		command => "tar -cvzf /home/$username/.ssh.tar.gz *",
+		path    => [ '/bin/', '/sbin/', '/usr/bin/', '/usr/sbin/' ],
+		notify  => Exec['setperm']
+	  }
+
+	  exec { 'setperm':
+		cwd     => "/home/$username/",
+		command => "sudo chown -R $username:$username /home/$username/.ssh",
+		path    => [ '/bin/', '/sbin/', '/usr/bin/', '/usr/sbin/' ]
+	  }
+
+
+
+
+}

modules/vulnerabilities/unix/http/hadoop_yarn_rce/manifests/hadoop.pp

@@ -0,0 +1,94 @@
+class hadoop_yarn_rce::hadoop {
+	#$secgen_parameters=secgen_functions::get_parameters($::base64_inputs_file)
+	#$account = parsejson($secgen_params['account'][0])
+	$username='hadoop_user'#$username = $account['username']
+	$password='password'#$password = $account['password']
+	$strings_to_leak = ["this is a list of strings that are secrets / flags","another secret"]##$secgen_parameters['strings_to_leak']
+	$leaked_filenames = ["flagtest"]##$secgen_parameters['leaked_filenames']
+	$home_directory ='/opt/hadoop'
+	$hadoop_directory= '/usr/local/hadoop'
+	$java_version= "java-11-openjdk-amd64"
+    $java_path ="/usr/lib/jvm/${java_version}"
+
+
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+	#create and configure hadoop user 
+	::hadoop_yarn_rce::hadoop_user{"hadoop_yarn_rce_${username}":
+		username => $username,		
+		password   => pw_hash($password, 'SHA-512', 'mysalt'),
+		hadoop_directory =>	$hadoop_directory,
+		java_path => $java_path, 
+		strings_to_leak => $strings_to_leak,
+		leaked_filenames => $leaked_filenames,
+
+	}->
+	#create log directory 
+	file {'/usr/local/hadoop/logs':
+		ensure =>directory,
+		owner  => $username,
+		group  => $username,
+		notify => Exec['chown-hadoop-permissions']
+	}
+
+	#update directory permissions
+	exec {'chown-hadoop-permissions':
+		command => "chown -R ${username}: ${hadoop_directory}",
+		notify => Exec['execute .bashrc']
+	}
+	exec {'execute .bashrc':
+		cwd => "${home_directory}",
+		command => "source ~/.bashrc",
+        user => "${username}",
+		logoutput => true,
+		notify => Exec["${home_directory} JAVA_JDK path"]		
+	}
+	exec {"${home_directory} JAVA_JDK path":
+		cwd => "${home_directory}",
+		command => "readlink -f \\\$\${java_version}",
+		logoutput => true
+	}->
+
+    #update config files
+	file { "${hadoop_directory}/etc/hadoop/core-site.xml":
+		ensure  => present,
+		content  => template('hadoop_yarn_rce/core-site.xml.erb')
+	}->
+	file { "${hadoop_directory}/etc/hadoop/hdfs-site.xml":
+		ensure  => present,
+		content  => template('hadoop_yarn_rce/hdfs-site.xml.erb')
+	}->
+    file { "${hadoop_directory}/etc/hadoop/mapred-site.xml":
+		ensure  => present,
+		content  => template('hadoop_yarn_rce/mapred-site.xml.erb')
+	}->
+	file_line{"${hadoop_directory}/etc/hadoop/hadoop-env.sh":
+        ensure => present,
+        path   => "${hadoop_directory}/etc/hadoop/hadoop-env.sh",
+        line   => "export JAVA_HOME=${java_path} #JAVA_JDK directory", 
+        match => 'export JAVA_HOME=',
+		notify => Exec['run-JAVA_JDK path']
+    }
+
+	exec {'run-JAVA_JDK path':
+		cwd => "${hadoop_directory}/etc/hadoop",
+		command => "readlink -f \\\$\${java_version}",
+		logoutput => true,
+		notify => Exec['format-hadoop-filename']
+	}
+
+	exec {'format-hadoop-filename':
+		cwd => "${hadoop_directory}",
+		command => 'hadoop namenode -format',
+		logoutput => true,
+		notify => Exec['run-hadoop']
+	}
+	#start hadoop
+	exec {'run-hadoop':
+		cwd => "${hadoop_directory}",
+		command => 'HADOOP_HOME/sbin/start-all.sh',
+		logoutput => true
+	}
+
+
+}

modules/vulnerabilities/unix/http/hadoop_yarn_rce/manifests/hadoop_user.pp

@@ -0,0 +1,76 @@
+define hadoop_yarn_rce::hadoop_user ($username, $password, $hadoop_directory, $java_path, $strings_to_leak, $leaked_filenames){
+	$home_directory ='/opt/hadoop'
+	$bash_lines = [ "export JAVA_HOME=${java_path}",
+				"export HADOOP_HOME=${hadoop_directory}",
+				'export HADOOP_INSTALL=$HADOOP_HOME',
+				'export HADOOP_MAPRED_HOME=$HADOOP_HOME',
+				'export HADOOP_COMMON_HOME=$HADOOP_HOME', 
+				'export HADOOP_HDFS_HOME=$HADOOP_HOME', 
+				'export YARN_HOME=$HADOOP_HOME',
+				'export HADOOP_COMMON_LIB_NATIVE_DIR=$HADOOP_HOME/lib/native', 
+				'export PATH=$PATH:$HADOOP_HOME/sbin:$HADOOP_HOME/bin', 
+				'export HADOOP_OPTS="-Djava.library.path=$HADOOP_HOME/lib/native"' ]
+	#TODO cleanup
+	::accounts::user { $username:
+		shell      => '/bin/bash',
+		password   => pw_hash($password, 'SHA-512', 'mysalt'),
+		home =>	'/opt/hadoop',
+		managehome => true,
+		home_mode  => '0755',
+	 }->
+	 #edit bash
+	$bash_lines.each |String $bash_lines| {
+        file_line{"${home_directory}/.bashrc append ${bash_lines}":
+        ensure => present,
+        path   => "${home_directory}/.bashrc",
+        line   => "${bash_lines}", 
+        match =>"^(=*?)(${bash_lines})"
+        }         
+    }
+
+	#generate-ssh-keys
+	exec {'generate-ssh-keys':
+		cwd => "${home_directory}",
+		command => 'ssh-keygen -t rsa',
+		logoutput => true
+	} ->
+	file {"${home_directory}/.ssh/authorized_keys":
+		path => "${home_directory}/.ssh/authorized_keys",
+		ensure => file, 
+		source => "${home_directory}/.ssh/id_rsa.pub",
+		notify => Exec['restart-ssh']
+	}
+	#restart ssh
+	exec {'restart-ssh':
+		command => 'service ssh restart',
+		logoutput => true,
+		notify => Exec['run-ssh']
+	}
+	exec {'run-ssh':
+		command => 'ssh localhost',
+		logoutput => true
+	}
+
+
+
+	  # Leak strings in a text file in the users home directory
+	  # ::secgen_functions::leak_files { "$username-file-leak":
+		# storage_directory => "${home_directory}",
+		# leaked_filenames  => $leaked_filenames,
+		# strings_to_leak   => $strings_to_leak,
+		# owner             => $username,
+		# group             => $username,
+		# mode              => '0600',
+		# leaked_from       => "accounts_$username",
+	  # }
+
+
+
+
+
+
+
+
+
+
+}

modules/vulnerabilities/unix/http/hadoop_yarn_rce/manifests/install.pp

@@ -0,0 +1,29 @@
+class hadoop_yarn_rce::install {
+	$releasename = 'hadoop-3.3.4'
+	$docroot= "/usr/local/hadoop"
+
+	Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+	#install dependencies
+	ensure_packages(['default-jdk','default-jre','ssh','rsync' ])
+
+	# copy archive 
+	file { "/usr/local/src/$releasename.tar.gz" :
+		ensure => file,
+		source => "puppet:///modules/hadoop_yarn_rce/$releasename.tar.gz",
+	} ->
+	#unzip
+	exec {'unzip-hadoop':
+		cwd => '/usr/local/src',
+		command => "tar -xvzf ${releasename}.tar.gz -C /usr/local",
+		creates => /usr/local/${releasename},			
+	}->
+	#rename folder
+	exec {'rename-hadoop directory':
+		cwd => '/usr/local',
+		command => "mv ${releasename} hadoop",
+		logoutput => true,
+	}
+
+
+}

modules/vulnerabilities/unix/http/hadoop_yarn_rce/secgen_metadata.xml

@@ -0,0 +1,38 @@
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+<name>Hadoop YARN ResourceManager Unauthenticated Command Execution /name>
+  <author>Sofia Markusfeld</author>
+  <module_license>Apache</module_license>
+
+
+     <!--  fix -->
+  <description>"This module uses built-in functionality to execute arbitrary commands on an unsecured Hadoop server which is not configured for strong
+          authentication, via Hadoop's standard ResourceManager REST API."
+  </description>
+ <!--  cleanup/add -->
+ <type>remote</type>
+  <type></type>
+  <type></type>
+  <privilege></privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+
+     <!--  cleanup/add -->
+   <read_fact></read_fact>
+   <read_fact></read_fact>
+   <read_fact></read_fact>
+
+   <!-- flags or other secrets exposed after exploitation -->
+  <default_input into="strings_to_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+    <!-- these details need to be known or bruteforced to successful exploit the service -->
+
+    <!--optional vulnerability details-->
+  <!-- rce vuln -->
+  <cve>CVE-2022-24706</cve>
+  <!-- bruteforce vuln -->
+  <cve></cve>

modules/vulnerabilities/unix/http/hadoop_yarn_rce/templates/core-site.xml.erb

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License. See accompanying LICENSE file.
+-->
+
+<!-- Put site-specific property overrides in this file. -->
+
+<configuration>
+<property>
+<name>fs.defaultFS</name>
+<value>hdfs://localhost:9000</value>
+</property>
+</configuration>
+

modules/vulnerabilities/unix/http/hadoop_yarn_rce/templates/hadoop.sh.erb

@@ -0,0 +1,17 @@
+#for hadoop
+
+export JAVA_HOME=/usr/lib/jvm/<%=@java_version=> #JAVA_JDK directory
+
+export HADOOP_HOME=/usr/local/hadoop #location of hadoop file directory
+
+export HADOOP_MAPRED_HOME=$HADOOP_HOME
+export HADOOP_CONF_DIR=$HADOOP_HOME/etc/hadoop
+export HADOOP_COMMON_HOME=$HADOOP_HOME
+export HADOOP_HDFS=$HADOOP_HOME
+export YARN_HOME=$HADOOP_HOME
+export HADOOP_USER_CLASSPATH_FIRST=true
+
+alias hadoop=$HADOOP_HOME/bin/./hadoop #for convenience
+alias hdfs=$HADOOP_HOME/bin/./hdfs #for convenience
+
+#done

modules/vulnerabilities/unix/http/hadoop_yarn_rce/templates/hdfs-site.xml.erb

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License. See accompanying LICENSE file.
+-->
+
+<!-- Put site-specific property overrides in this file. -->
+
+<configuration>
+
+<property>
+<name>dfs.name.dir</name>
+<value>file:///home/<%=@username=>/pseudo/dfs/name</value> <!-- username = use `whoami` command in terminal to know your username in machine -->
+</property>
+<property>
+<name>dfs.data.dir</name>
+<value>file:///home/<%=@username=>/pseudo/dfs/data</value> <!-- username = use `whoami` command in terminal to know your username in machine -->
+</property>
+<property>
+<name>dfs.replication</name>
+<value>1</value>
+</property>
+</configuration>