diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/apache_spark_rce.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/apache_spark_rce.pp
index 1b25529f0..a691d6b67 100644
--- a/modules/vulnerabilities/unix/http/apache_spark_rce/apache_spark_rce.pp
+++ b/modules/vulnerabilities/unix/http/apache_spark_rce/apache_spark_rce.pp
@@ -3,9 +3,9 @@
# https://spark.apache.org/docs/3.1.2/
# https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_spark_rce_cve_2022_33891.rb
-contain apache_spark_rce::install
-contain apache_spark_rce::configure
-contain apache_spark_rce::service
+include apache_spark_rce::install
+include apache_spark_rce::configure
+include apache_spark_rce::service
Class['apache_spark_rce::install']
-> Class['apache_spark_rce::configure']
-> Class['apache_spark_rce::service']
diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/files/spark-defaults.conf b/modules/vulnerabilities/unix/http/apache_spark_rce/files/spark-defaults.conf
index 553d716a3..c29c3ad2c 100644
--- a/modules/vulnerabilities/unix/http/apache_spark_rce/files/spark-defaults.conf
+++ b/modules/vulnerabilities/unix/http/apache_spark_rce/files/spark-defaults.conf
@@ -1 +1,4 @@
-spark.acls.enable true
\ No newline at end of file
+spark.acls.enable true
+spark.master.rest.enabled true
+spark.master.rest.port 6066
+spark.master.rest.host 0.0.0.0
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp
index 9db179c29..dedcd8066 100644
--- a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp
+++ b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/configure.pp
@@ -7,20 +7,36 @@
$leaked_filenames = $secgen_parameters['leaked_filenames']
$strings_to_leak = $secgen_parameters['strings_to_leak']
$user = $secgen_parameters['unix_username'][0]
+ $pre_leaked_filenames = $secgen_parameters['pre_leaked_filenames']
+ $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak']
Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
# We set the acls flag in the config - This ensures its vulnerable
- file { "/usr/local/spark/conf/${sparkconf}":
+ file { '/usr/local/spark/conf':
+ ensure => directory,
+ }
+ -> file { "/usr/local/spark/conf/${sparkconf}":
ensure => file,
- source => "puppet:///modules/apache_spark_rce/${sparkconf}"
+ source => "puppet:///modules/apache_spark_rce/${sparkconf}",
}
::secgen_functions::leak_files { 'spark-flag-leak':
storage_directory => "/home/${user}",
leaked_filenames => $leaked_filenames,
strings_to_leak => $strings_to_leak,
- owner => 'root',
+ owner => 'spark',
+ mode => '0750',
+ leaked_from => 'apache_spark_rce',
+ }
+
+ # Not really preleaking, hard to change spark config to pre leak.
+ # TODO in future: Actually preleak it through http-title to show in nmap scan
+ ::secgen_functions::leak_files { 'spark-flag-pre-leak':
+ storage_directory => "/home/${user}",
+ leaked_filenames => $pre_leaked_filenames,
+ strings_to_leak => $strings_to_pre_leak,
+ owner => 'spark',
mode => '0750',
leaked_from => 'apache_spark_rce',
}
diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/install.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/install.pp
index 09c5ee357..da426eb74 100644
--- a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/install.pp
+++ b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/install.pp
@@ -8,7 +8,36 @@
# Install required packages
# NOTE: once Debian updates insert scala 2.12+ into statement
- ensure_packages(['openjdk-11-jdk'], { ensure => 'installed'})
+
+ exec { 'download-jdk11':
+ cwd => '/tmp',
+ command => 'wget -O jdk11.tar.gz https://download.java.net/openjdk/jdk11.0.0.2/ri/openjdk-11.0.0.2_linux-x64.tar.gz',
+ creates => '/tmp/jdk11.tar.gz',
+ timeout => 300,
+ }
+ -> exec { 'extract-jdk11':
+ cwd => '/tmp',
+ command => 'tar -xzf jdk11.tar.gz',
+ creates => '/tmp/jdk-11.0.0.2',
+ }
+ -> file { '/usr/lib/jvm':
+ ensure => directory,
+ }
+ -> exec { 'install-jdk11':
+ cwd => '/tmp',
+ command => 'mv jdk-11.0.0.2 /usr/lib/jvm/java-11-openjdk',
+ creates => '/usr/lib/jvm/java-11-openjdk',
+ }
+
+ # Register Java 11 as alternative and set as default for spark
+ exec { 'register-java11-alternative':
+ command => '/usr/bin/update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-11-openjdk/bin/java 1111',
+ require => Exec['install-jdk11'],
+ }
+ -> exec { 'set-java11-default':
+ command => '/usr/bin/update-alternatives --set java /usr/lib/jvm/java-11-openjdk/bin/java',
+ require => Exec['register-java11-alternative'],
+ }
$scaladeb = 'scala-2.12.10.deb'
$releasename = 'spark-3.1.2-bin-hadoop3.2.tgz'
@@ -43,7 +72,7 @@
# We run older versions of debian, for now source from local deb file
package { 'scala':
- ensure => latest,
+ ensure => present,
provider => apt,
source => "/tmp/${scaladeb}",
}
diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp
index f8bd204a5..fc4c9fc22 100644
--- a/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp
+++ b/modules/vulnerabilities/unix/http/apache_spark_rce/manifests/service.pp
@@ -11,13 +11,24 @@
exec { 'set-port':
command => "sed -i 's/8080/${port}/' /usr/local/spark/sbin/start-master.sh",
}
- -> file { '/etc/systemd/system/spark.service':
- content => template('apache_spark_rce/spark.service.erb'),
+ -> file { '/etc/systemd/system/spark-master.service':
+ content => template('apache_spark_rce/spark-master.service.erb'),
owner => 'root',
mode => '0777',
}
- -> service { 'spark':
+ -> service { 'spark-master':
ensure => running,
enable => true,
}
+ -> file { '/etc/systemd/system/spark-worker.service':
+ content => template('apache_spark_rce/spark-worker.service.erb'),
+ owner => 'root',
+ mode => '0777',
+ }
+ -> service { 'spark-worker':
+ ensure => running,
+ enable => true,
+ }
+
+
}
diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/secgen_metadata.xml b/modules/vulnerabilities/unix/http/apache_spark_rce/secgen_metadata.xml
index 656bd9376..9a014bdff 100644
--- a/modules/vulnerabilities/unix/http/apache_spark_rce/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/http/apache_spark_rce/secgen_metadata.xml
@@ -28,6 +28,8 @@
strings_to_leak
leaked_filenames
unix_username
+ strings_to_pre_leak
+ pre_leaked_filenames
@@ -42,6 +44,14 @@
+
+
+
+
+
+
+
+
spark
diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-master.service.erb
similarity index 51%
rename from modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb
rename to modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-master.service.erb
index dc02ddd2d..d178cf6da 100644
--- a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark.service.erb
+++ b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-master.service.erb
@@ -1,13 +1,15 @@
[Unit]
-Description=Apache Spark Shell
+Description=Apache Spark Master
After=network.target
[Service]
Type=forking
User=<%= @user %>
Environment="PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/spark/sbin"
+Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk"
WorkingDirectory=/usr/local/spark/bin/
-ExecStart=/usr/local/spark/sbin/start-master.sh
+ExecStart=/usr/local/spark/sbin/start-master.sh --host 0.0.0.0 --properties-file /usr/local/spark/conf/spark-defaults.conf
+ExecStop=/usr/local/spark/sbin/stop-master.sh
Restart=on-abort
RestartSec=1
diff --git a/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb
new file mode 100644
index 000000000..5caffc09c
--- /dev/null
+++ b/modules/vulnerabilities/unix/http/apache_spark_rce/templates/spark-worker.service.erb
@@ -0,0 +1,17 @@
+[Unit]
+Description=Apache Spark Worker
+After=network.target spark-master.service
+
+[Service]
+Type=forking
+User=<%= @user %>
+Environment="PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/spark/sbin"
+Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk"
+WorkingDirectory=/usr/local/spark/bin/
+ExecStart=/bin/bash -c '/usr/local/spark/sbin/start-worker.sh spark://$(hostname -I | awk "{print \$1}"):7077'
+ExecStop=/usr/local/spark/sbin/stop-worker.sh
+Restart=on-abort
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/scenarios/ctf/catching_sparks.xml b/scenarios/ctf/catching_sparks.xml
index 472c7d5cb..7b85a2e22 100644
--- a/scenarios/ctf/catching_sparks.xml
+++ b/scenarios/ctf/catching_sparks.xml
@@ -86,7 +86,7 @@
server
-
+
@@ -101,7 +101,7 @@
-
+