Zeronights 2015 - Big problems with big data - Hadoop interfaces security
2 likes2,824 views
The document discusses the security vulnerabilities within Hadoop and big data environments, focusing on risks such as excessive permissions, outdated software, and common web vulnerabilities. It provides an overview of various Hadoop components and attacks, along with recommendations for safeguarding big data environments through tight network access and regular penetration testing. The author emphasizes the need for thorough risk analysis and proactive measures against potential threats to data integrity and confidentiality.
![Apache Hue DOM XSS
var _anchor = $("a[name='" +
decodeURIComponent(window.location.hash.subs
tring(1)) + "']").last();
Payload: URL/help/#<img src="x"
onerror="alert(1)">
H
D
A
E
U](https://image.slidesharecdn.com/zeronights-151205115852-lva1-app6891/85/Zeronights-2015-Big-problems-with-big-data-Hadoop-interfaces-security-44-320.jpg)
Zeronights 2015 - Big problems with big data - Hadoop interfaces security
- 1. Big problems with big data – Hadoop interfaces security Jakub Kaluzny ZeroNights, Moscow, 2015 Плохо!
- 2. whoami Sr. IT Security Consultant at SecuRing • Consulting all phases of development • penetration tests • high-risk applications and systems Researcher • Hadoop, FOREX, MFP printers, proprietary network protocols
- 3. Agenda Big data nonsenses Crash course on hacking Hadoop installations Ways to protect big data environments Expect some CVEs
- 4. Results summary no account standard user admin user admin privileges data access
- 5. WHAT IS HADOOP? Know your target
- 6. Normal database Users Roles Data Model
- 8. Still normal database scenario CWE-xxx: SQL Injection through license plate http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/ http://hococonnect.blogspot.com/2015/06/red-light-cameras-in-columbia.html http://8z4.net/images/ocr-technology
- 9. Normal database injection points
- 10. Normal database Users Roles Data Model Clear rules Clear target
- 11. user db, a lot of clients critical banking data, one supplier Anecdote Only one common table Q: Why don’t you split it into 2 dbs with a db link? A: Too much effort and we want to have fast statistics from all data.
- 14. More on Hadoop
- 17. 21 PB of storage in a single HDFS cluster 2000 machines 12 TB per machine (a few machines have 24 TB each) 1200 machines with 8 cores each + 800 machines with 16 cores each 32 GB of RAM per machine 15 map-reduce tasks per machine What is a lot of data?
- 18. Our latest assessment: • 32 machines, 8 cores each • 24TB per machine • 64 GB of RAM per machine • Almost 1 PB disk space and 2TB of RAM What is a lot of data? http://mrrobot.wikia.com/wiki/E_Corp
- 20. RISK ANALYSIS Know your threats
- 21. Who How What Risk analysis
- 22. Business perspective: competitor, script-kiddies, APT Technical perspective: Who? External attacker • Anonymous • Ex-employee Insider • Exployee (with some rights in Hadoop): user, admin • Infected machine, APT
- 23. Who How What Risk analysis
- 24. Full compromise
- 25. Data safety vs. data security
- 26. Q: What will be stored? A: „We do not know what data will be stored!” Typical bank scenario Bigdata analytic says: „People who bought a dashcam are more likely to take a loan for a new car in the next month” For what? All transaction data All sales data All client data http://thewondrous.com/julia-gunthel-worlds-most-flexible-secretary/ https://www.reddit.com/r/gifs/comments/37aara/calculations_intensify/
- 27. For what? Data theft
- 28. Other Privilege escalation • Authentication bypass Abuse • DoS • Data tampering
- 29. Who How What Risk analysis
- 30. How? https://en.wikipedia.org/wiki/Dowsing#Rods
- 31. WHAT HADOOP REALLY IS under sales-magic-cloud-big-data cover
- 34. Hadoop injection points Differs much amongst distros
- 35. INTERFACES
- 37. OUR STORY WITH BIG DATA ASSESSMENT a.k.a. crash course on hacking big data environments
- 39. USER INTERFACES for employees and applications
- 41. User interfaces Apache Hue • Pig, Hive, Impala, Hbase, Zookeeper, Mahout, Oozie Other • Tez, Solr, Slider, Spark, Phoenix, Accummulo, Storm H D A E U
- 42. Is Hue an internal interface? H D A E U http://9gag.com/gag/awrwVL1/hue-hue-hue
- 43. Apache Hue overview H D A E U http://gethue.com/
- 44. Apache Hue DOM XSS var _anchor = $("a[name='" + decodeURIComponent(window.location.hash.subs tring(1)) + "']").last(); Payload: URL/help/#<img src="x" onerror="alert(1)"> H D A E U
- 45. Target old Hadoop installation (with Hue 2.6.1, Django 1.2.3) Target a user with access to Hue Send him XSS Get access to all Hadoop data designated for the user Apache Hue attack scenario
- 47. ADMIN INTERFACES for admins and maintenance
- 49. Admin interfaces Apache Ambari • Provisioning, monitoring Apache Ranger • Security: authorization, authentication, auditing, data encryption, administration Other • Knox, Cloudbreak, Zookeeper, Falcon, Atlas, Sqoop, Flume, Kafka H D A E U
- 52. Is Ambari an internal interface? H D A E U http://knowyourmeme.com/memes/facepalm
- 53. Apache Ambari • Standard users can sign into Ambari (WHY?) • Low hanging fruits: directory listing by default, no cookie flags, no CSRF protection • Interesting proxy script -> H D A E U
- 54. Apache Ambari REST API proxy Standard request: /proxy?url=http://XXXXXXXXX:8188/ws/v1/timel ine/HIVE_QUERY_ID?limit=1&secondaryFilter=te z:true&_=1424180016625 H D A E U Tampered request (logs accessible only from DMZ): /proxy?url=http://google.com /proxy?url=http://XXXXXXX:8088/logs /proxy?url=http://XXXXXXX:8088/logs/yarn- yarn-resourcemanager-XXXXXXX.log
- 55. Apache Ambari Server Side Request Forgery H D A E UCVE-2015-1775
- 56. Apache Ambari attack scenario Target old Hadoop installation with Ambari 1.5.0 to 2.0.2 Hijack standard account (or use Hue XSS to perform CSRF) Log into Ambari, use CVE-2015-1775 Get access to local network (DMZ) – HTTP only Download logs, exploit other Hadoop servers in DMZ H D A E U
- 58. Apache Ranger overview Previously: Apache Argus, XA-Secure Provides central administration for policies, users/groups, analytics and audit data. H D A E U http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Sys_Admin_Guides/content/ref- 746ce51a-9bdc-4fef-85a6-69564089a8a6.1.html
- 60. • Low hanging fruits: no HTTP hardening, SlowHTTP DoS • Standard users can log into Ranger but have no permissions • Interesting function level access control -> Apache Ranger
- 62. Missing function level access control H D A E U CVE-2015-0266
- 63. Apache Ranger attack scenario Target an old Hadoop installation (Apache Ranger 0.4 or XA-Secure v. 3.5.001 ) Hijack standard Hadoop account Log into Ranger (with low permissions) Use CVE-2015-0266 to escalate privileges Edit accounts, authorization rules, access policies H D A E U
- 65. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) <script>alert(1);</script> Apache Ranger XSS through UserAgent H D A E UCVE-2015-0265
- 66. Apache Ranger attack scenario Target an old Hadoop installation (Apache Ranger 0.4 or XA- Secure v. 3.5.001 ) Network access to Apache Ranger is necessary (either from the internet or local network) Log in with any user and password using XSS in UserAgent You don’t need to escalate privileges, you’re already an admin (after admin opens session tab) Deploy BEEF or whatsoever (CSRF script) to create users and change policies H D A E U
- 67. • Affected version: Apache Ranger v 0.4.0, XA Secure v. 3.5.001 • Both vulnerabilities patched in Ranger v 0.5.0 • For a while developers did a self-full-disclosure -> Apache Ranger patched
- 68. RANGER-284 in public Jira now H D A E U
- 69. RANGER-284 shortly after vendor contact H D A E U
- 70. DISTRIBUTIONS SPECIFICS not in every environment
- 74. Distros How long does it take to create a new distro version? How many components are outdated at that time? How long does it take to deploy a new distro at a company? How many components are outdated at that time? H D A E U Most cases: • MAJOR – ca. 1 year • MINOR – ca. 3 months • PATCH – ca. 1-2 months (differs much)
- 75. Hortonworks HDP components by version http://hortonworks.com/hdp/whats-new/
- 76. Distros Old components with known issues • Old OS components (java, php, ruby, etc.) • Old OS components (e.g. old tomcat used by Oozie and HDFS) • Old Hadoop components (e.g. old Hue, Ambari, Ranger) Default passwords Default configuration H D A E U
- 77. vuln found (e.g. Ambari) Hadoop pached distro update deployment Vulnerability timeline Responsible Disclosure? H D A E U vuln found (e.g. jQuery) jQuery patched Django patched Hue update distro update deployment Responsible disclosure? Full disclosure? Full disclosure?
- 78. Distros Old components with known issues Default passwords • SSH keys configured but default passwords still work • Default mysql passwords, NO mysql passwords Default configuration H D A E U
- 79. Distros Old components with known issues Default passwords Default configuration • No network level hardening • No HTTP hardening (clickjacking, session mgmt, errors) • Hue uses Django with DEBUG turned on by default • „Hacking virtual appliances” by Jeremy Brown H D A E U
- 81. EXTERNAL INTERFACES For clients or whatsoever
- 83. External • More than 25 internal Apache apps/modules • Vendor/distro specific apps/interfaces • Popular monitoring: Ganglia, Splunk • Auth providers: LDAP, Kerberos, OAuth • Many apps, many targets H D A E U
- 85. SUMMARY ways to protect your big data environment
- 86. Ways to protect your Hadoop environment Excessive network access • Keep it super tight! Excessive user pesmissions Typical web vulnerabilities Obsolete software Distros dependent vulnerabilities External system connections
- 87. Ways to protect your Hadoop environment Excessive network access Excessive user permissions • Map business roles to permissions Typical web vulnerabilities Obsolete software Distros dependent vulnerabilities External system connections
- 88. Ways to protect your Hadoop environment Excessive network access Excessive user permissions Typical web vulnerabilities • Pentest it! Introduce application independent security countermeasures Obsolete software Distros dependent vulnerabilities External system connections
- 89. Ways to protect your Hadoop environment Excessive network access Excessive user permissions Typical web vulnerabilities Obsolete software • Make a list of all components. Monitor bugtracks and CVEs. Distros dependent vulnerabilities External system connections
- 90. Ways to protect your Hadoop environment Excessive network access Excessive user permissions Typical web vulnerabilities Obsolete software Distros dependent vulnerabilities • A pentest after integration is a must. Demand security from software suppliers. External system connections
- 91. Ways to protect your Hadoop environment Excessive network access Excessive user permissions Typical web vulnerabilities Obsolete software Distros dependent vulnerabilities External system connections • Make a list of all external system connections. Do a threat modeling and pentest corresponding systems.
- 92. Thank you [email protected] MORE THAN SECURITY TESTING Contact me for additional materials @j_kaluzny