Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Big problems with big
data –
Hadoop interfaces
security
Jakub Kaluzny
ZeroNights, Moscow, 2015
Плохо!
whoami
Sr. IT Security Consultant at SecuRing
• Consulting all phases of development
• penetration tests
• high-risk appli...
Agenda
Big data nonsenses
Crash course on hacking Hadoop installations
Ways to protect big data environments
Expect some C...
Results summary
no account
standard user
admin user
admin
privileges
data access
WHAT IS HADOOP?
Know your target
Normal database
Users Roles Data Model
Normal database architecture
http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/
Still normal database scenario
CWE-xxx: SQL Injection through license plate
http://hackaday.com/2014/04/04/sql-injection-f...
Normal database injection points
Normal database
Users Roles Data Model
Clear rules
Clear target
user db,
a lot of clients
critical
banking data,
one supplier
Anecdote
Only one common table
Q: Why don’t you split it int...
What is Hadoop?
https://www.flickr.com/photos/photonquantique/2596581870/
http://fiveprime.org/blackmagic.cgi?id=7007203773
Hadoop architecture schema
More on Hadoop
Hadoop injection points
Hadoop scenario
https://en.wikipedia.org/wiki/Moneygami
https://www.flickr.com/photos/mattimattila/8349565473
http://bigda...
21 PB of storage in a single HDFS cluster
2000 machines
12 TB per machine (a few machines have 24 TB each)
1200 machines w...
Our latest assessment:
• 32 machines, 8 cores each
• 24TB per machine
• 64 GB of RAM per machine
• Almost 1 PB disk space ...
Attacker perspective
https://plus.google.com/+Magiccardtrickszonetips
RISK ANALYSIS
Know your threats
Who How What
Risk analysis
Business perspective: competitor, script-kiddies, APT
Technical perspective:
Who?
External attacker
• Anonymous
• Ex-emplo...
Who How What
Risk analysis
Full compromise
Data safety vs. data security
Q: What will be stored? A: „We do not know what data will be
stored!”
Typical bank scenario
Bigdata analytic says: „People...
For what? Data theft
Other
Privilege escalation
• Authentication bypass
Abuse
• DoS
• Data tampering
Who How What
Risk analysis
How?
https://en.wikipedia.org/wiki/Dowsing#Rods
WHAT HADOOP
REALLY IS
under sales-magic-cloud-big-data cover
Typical architecture
http://thebigdatablog.weebly.com/blog/the-hadoop-ecosystem-overview
Apache Hue
http://techbusinessintelligence.blogspot.com/2014/11/tableau-software-cloudera-hadoop.html
Hadoop injection points
Differs much amongst distros
INTERFACES
Hadoop
Distros
specifics
Admin
ifaces
external
ifaces
User
ifaces
Interfaces
OUR STORY WITH BIG
DATA ASSESSMENT
a.k.a. crash course on hacking big data environments
Hadoop
Distros
specifics
Admin
ifaces
external
ifaces
User
ifaces
Interfaces
USER INTERFACES
for employees and applications
User interfaces
Hadoop
Distros
specifics
Admin
ifaces
external
ifaces
User
ifaces
User interfaces
Apache Hue
• Pig, Hive, Impala, Hbase, Zookeeper, Mahout, Oozie
Other
• Tez, Solr, Slider, Spark, Phoenix,...
Is Hue an internal interface?
H
D
A
E
U
http://9gag.com/gag/awrwVL1/hue-hue-hue
Apache Hue overview
H
D
A
E
U
http://gethue.com/
Apache Hue DOM XSS
var _anchor = $("a[name='" +
decodeURIComponent(window.location.hash.subs
tring(1)) + "']").last();
Pay...
Target old Hadoop installation (with Hue 2.6.1, Django
1.2.3)
Target a user with access to Hue
Send him XSS
Get access to ...
Default configurations sucks
X-Frame-Options:ALLOWALL
ADMIN INTERFACES
for admins and maintenance
Hadoop
Distros
specifics
Admin
ifaces
external
ifaces
User
ifaces
Admin interfaces
Admin interfaces
Apache Ambari
• Provisioning, monitoring
Apache Ranger
• Security: authorization, authentication, auditin...
Apache Ambari
About Ambari
http://www.slideshare.net/hortonworks/ambari-using-a-local-repository?next_slideshow=1
H
D
A
E
U
Apache Ambari
http://www.slideshare.net/hortonworks/ambari-using-a-local-repository?next_slideshow=1
H
D
A
E
U
Is Ambari an internal interface?
H
D
A
E
U
http://knowyourmeme.com/memes/facepalm
Apache Ambari
• Standard users can sign into Ambari (WHY?)
• Low hanging fruits: directory listing by default, no
cookie f...
Apache Ambari REST API proxy
Standard request:
/proxy?url=http://XXXXXXXXX:8188/ws/v1/timel
ine/HIVE_QUERY_ID?limit=1&seco...
Apache Ambari Server Side Request Forgery
H
D
A
E
UCVE-2015-1775
Apache Ambari attack scenario
Target old Hadoop installation with Ambari 1.5.0 to 2.0.2
Hijack standard account (or use Hu...
Hadoop
Distros
specifics
Admin
ifaces
external
ifaces
User
ifaces
Admin interfaces
Apache Ranger overview
Previously: Apache Argus, XA-Secure
Provides central administration for policies,
users/groups, ana...
Apache Ranger overview
H
D
A
E
Uhttp://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-h...
• Low hanging fruits: no HTTP hardening, SlowHTTP
DoS
• Standard users can log into Ranger but have no
permissions
• Inter...
Apache Ranger vulnerabilities
H
D
A
E
U
Missing function level access control
H
D
A
E
U
CVE-2015-0266
Apache Ranger attack scenario
Target an old Hadoop installation (Apache Ranger 0.4 or XA-Secure v.
3.5.001 )
Hijack standa...
Apache Ranger vulnerabilities
H
D
A
E
U
https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide
User-Agent: Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0)
<script>alert(1);</script>
Apache Ranger XSS through UserAg...
Apache Ranger attack scenario
Target an old Hadoop installation (Apache Ranger 0.4 or XA-
Secure v. 3.5.001 )
Network acce...
• Affected version: Apache Ranger v 0.4.0, XA Secure
v. 3.5.001
• Both vulnerabilities patched in Ranger v 0.5.0
• For a w...
RANGER-284 in public Jira now
H
D
A
E
U
RANGER-284 shortly after vendor contact
H
D
A
E
U
DISTRIBUTIONS
SPECIFICS
not in every environment
Hadoop
Distros
specifics
Admin
ifaces
external
ifaces
User
ifaces
Distribution specifics
Distros
H
D
A
E
Uhttp://blog.cloudera.com/blog/2012/07/the-hadoop-ecosystem-visualized-in-datameer/
cloud
based
hosted
locally
Basic distinction
Distros
How long does it take to create a new distro version?
How many components are outdated at that time?
How long does...
Hortonworks HDP components by version
http://hortonworks.com/hdp/whats-new/
Distros
Old components with known issues
• Old OS components (java, php, ruby, etc.)
• Old OS components (e.g. old tomcat ...
vuln found
(e.g. Ambari)
Hadoop
pached
distro update deployment
Vulnerability timeline
Responsible
Disclosure?
H
D
A
E
U
v...
Distros
Old components with known issues
Default passwords
• SSH keys configured but default passwords still work
• Defaul...
Distros
Old components with known issues
Default passwords
Default configuration
• No network level hardening
• No HTTP ha...
Default configurations sucks
X-Frame-Options:ALLOWALL
H
D
A
E
U
EXTERNAL
INTERFACES
For clients or whatsoever
Hadoop
Distros
specifics
Admin
ifaces
external
ifaces
User
ifaces
External interfaces
External
• More than 25 internal Apache apps/modules
• Vendor/distro specific apps/interfaces
• Popular monitoring: Gangli...
Hadoop
Hadoop
Distros
specifics
Admin
ifaces
external
ifaces
User
ifaces
SUMMARY
ways to protect your big data environment
Ways to protect your Hadoop environment
Excessive network access
• Keep it super tight!
Excessive user pesmissions
Typical...
Ways to protect your Hadoop environment
Excessive network access
Excessive user permissions
• Map business roles to permis...
Ways to protect your Hadoop environment
Excessive network access
Excessive user permissions
Typical web vulnerabilities
• ...
Ways to protect your Hadoop environment
Excessive network access
Excessive user permissions
Typical web vulnerabilities
Ob...
Ways to protect your Hadoop environment
Excessive network access
Excessive user permissions
Typical web vulnerabilities
Ob...
Ways to protect your Hadoop environment
Excessive network access
Excessive user permissions
Typical web vulnerabilities
Ob...
Thank you
jakub.kaluzny@securing.pl
MORE THAN
SECURITY
TESTING
Contact me for additional materials
@j_kaluzny
Próxima SlideShare
Cargando en…5
×

Zeronights 2015 - Big problems with big data - Hadoop interfaces security

2.597 visualizaciones

Publicado el

Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.

Publicado en: Tecnología
  • Sé el primero en comentar

Zeronights 2015 - Big problems with big data - Hadoop interfaces security

  1. 1. Big problems with big data – Hadoop interfaces security Jakub Kaluzny ZeroNights, Moscow, 2015 Плохо!
  2. 2. whoami Sr. IT Security Consultant at SecuRing • Consulting all phases of development • penetration tests • high-risk applications and systems Researcher • Hadoop, FOREX, MFP printers, proprietary network protocols
  3. 3. Agenda Big data nonsenses Crash course on hacking Hadoop installations Ways to protect big data environments Expect some CVEs
  4. 4. Results summary no account standard user admin user admin privileges data access
  5. 5. WHAT IS HADOOP? Know your target
  6. 6. Normal database Users Roles Data Model
  7. 7. Normal database architecture http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/
  8. 8. Still normal database scenario CWE-xxx: SQL Injection through license plate http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/ http://hococonnect.blogspot.com/2015/06/red-light-cameras-in-columbia.html http://8z4.net/images/ocr-technology
  9. 9. Normal database injection points
  10. 10. Normal database Users Roles Data Model Clear rules Clear target
  11. 11. user db, a lot of clients critical banking data, one supplier Anecdote Only one common table Q: Why don’t you split it into 2 dbs with a db link? A: Too much effort and we want to have fast statistics from all data.
  12. 12. What is Hadoop? https://www.flickr.com/photos/photonquantique/2596581870/ http://fiveprime.org/blackmagic.cgi?id=7007203773
  13. 13. Hadoop architecture schema
  14. 14. More on Hadoop
  15. 15. Hadoop injection points
  16. 16. Hadoop scenario https://en.wikipedia.org/wiki/Moneygami https://www.flickr.com/photos/mattimattila/8349565473 http://bigdataanalyticsnews.com/tag/hortonworks/
  17. 17. 21 PB of storage in a single HDFS cluster 2000 machines 12 TB per machine (a few machines have 24 TB each) 1200 machines with 8 cores each + 800 machines with 16 cores each 32 GB of RAM per machine 15 map-reduce tasks per machine What is a lot of data?
  18. 18. Our latest assessment: • 32 machines, 8 cores each • 24TB per machine • 64 GB of RAM per machine • Almost 1 PB disk space and 2TB of RAM What is a lot of data? http://mrrobot.wikia.com/wiki/E_Corp
  19. 19. Attacker perspective https://plus.google.com/+Magiccardtrickszonetips
  20. 20. RISK ANALYSIS Know your threats
  21. 21. Who How What Risk analysis
  22. 22. Business perspective: competitor, script-kiddies, APT Technical perspective: Who? External attacker • Anonymous • Ex-employee Insider • Exployee (with some rights in Hadoop): user, admin • Infected machine, APT
  23. 23. Who How What Risk analysis
  24. 24. Full compromise
  25. 25. Data safety vs. data security
  26. 26. Q: What will be stored? A: „We do not know what data will be stored!” Typical bank scenario Bigdata analytic says: „People who bought a dashcam are more likely to take a loan for a new car in the next month” For what? All transaction data All sales data All client data http://thewondrous.com/julia-gunthel-worlds-most-flexible-secretary/ https://www.reddit.com/r/gifs/comments/37aara/calculations_intensify/
  27. 27. For what? Data theft
  28. 28. Other Privilege escalation • Authentication bypass Abuse • DoS • Data tampering
  29. 29. Who How What Risk analysis
  30. 30. How? https://en.wikipedia.org/wiki/Dowsing#Rods
  31. 31. WHAT HADOOP REALLY IS under sales-magic-cloud-big-data cover
  32. 32. Typical architecture http://thebigdatablog.weebly.com/blog/the-hadoop-ecosystem-overview
  33. 33. Apache Hue http://techbusinessintelligence.blogspot.com/2014/11/tableau-software-cloudera-hadoop.html
  34. 34. Hadoop injection points Differs much amongst distros
  35. 35. INTERFACES
  36. 36. Hadoop Distros specifics Admin ifaces external ifaces User ifaces Interfaces
  37. 37. OUR STORY WITH BIG DATA ASSESSMENT a.k.a. crash course on hacking big data environments
  38. 38. Hadoop Distros specifics Admin ifaces external ifaces User ifaces Interfaces
  39. 39. USER INTERFACES for employees and applications
  40. 40. User interfaces Hadoop Distros specifics Admin ifaces external ifaces User ifaces
  41. 41. User interfaces Apache Hue • Pig, Hive, Impala, Hbase, Zookeeper, Mahout, Oozie Other • Tez, Solr, Slider, Spark, Phoenix, Accummulo, Storm H D A E U
  42. 42. Is Hue an internal interface? H D A E U http://9gag.com/gag/awrwVL1/hue-hue-hue
  43. 43. Apache Hue overview H D A E U http://gethue.com/
  44. 44. Apache Hue DOM XSS var _anchor = $("a[name='" + decodeURIComponent(window.location.hash.subs tring(1)) + "']").last(); Payload: URL/help/#<img src="x" onerror="alert(1)"> H D A E U
  45. 45. Target old Hadoop installation (with Hue 2.6.1, Django 1.2.3) Target a user with access to Hue Send him XSS Get access to all Hadoop data designated for the user Apache Hue attack scenario
  46. 46. Default configurations sucks X-Frame-Options:ALLOWALL
  47. 47. ADMIN INTERFACES for admins and maintenance
  48. 48. Hadoop Distros specifics Admin ifaces external ifaces User ifaces Admin interfaces
  49. 49. Admin interfaces Apache Ambari • Provisioning, monitoring Apache Ranger • Security: authorization, authentication, auditing, data encryption, administration Other • Knox, Cloudbreak, Zookeeper, Falcon, Atlas, Sqoop, Flume, Kafka H D A E U
  50. 50. Apache Ambari About Ambari http://www.slideshare.net/hortonworks/ambari-using-a-local-repository?next_slideshow=1 H D A E U
  51. 51. Apache Ambari http://www.slideshare.net/hortonworks/ambari-using-a-local-repository?next_slideshow=1 H D A E U
  52. 52. Is Ambari an internal interface? H D A E U http://knowyourmeme.com/memes/facepalm
  53. 53. Apache Ambari • Standard users can sign into Ambari (WHY?) • Low hanging fruits: directory listing by default, no cookie flags, no CSRF protection • Interesting proxy script -> H D A E U
  54. 54. Apache Ambari REST API proxy Standard request: /proxy?url=http://XXXXXXXXX:8188/ws/v1/timel ine/HIVE_QUERY_ID?limit=1&secondaryFilter=te z:true&_=1424180016625 H D A E U Tampered request (logs accessible only from DMZ): /proxy?url=http://google.com /proxy?url=http://XXXXXXX:8088/logs /proxy?url=http://XXXXXXX:8088/logs/yarn- yarn-resourcemanager-XXXXXXX.log
  55. 55. Apache Ambari Server Side Request Forgery H D A E UCVE-2015-1775
  56. 56. Apache Ambari attack scenario Target old Hadoop installation with Ambari 1.5.0 to 2.0.2 Hijack standard account (or use Hue XSS to perform CSRF) Log into Ambari, use CVE-2015-1775 Get access to local network (DMZ) – HTTP only Download logs, exploit other Hadoop servers in DMZ H D A E U
  57. 57. Hadoop Distros specifics Admin ifaces external ifaces User ifaces Admin interfaces
  58. 58. Apache Ranger overview Previously: Apache Argus, XA-Secure Provides central administration for policies, users/groups, analytics and audit data. H D A E U http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Sys_Admin_Guides/content/ref- 746ce51a-9bdc-4fef-85a6-69564089a8a6.1.html
  59. 59. Apache Ranger overview H D A E Uhttp://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/
  60. 60. • Low hanging fruits: no HTTP hardening, SlowHTTP DoS • Standard users can log into Ranger but have no permissions • Interesting function level access control -> Apache Ranger
  61. 61. Apache Ranger vulnerabilities H D A E U
  62. 62. Missing function level access control H D A E U CVE-2015-0266
  63. 63. Apache Ranger attack scenario Target an old Hadoop installation (Apache Ranger 0.4 or XA-Secure v. 3.5.001 ) Hijack standard Hadoop account Log into Ranger (with low permissions) Use CVE-2015-0266 to escalate privileges Edit accounts, authorization rules, access policies H D A E U
  64. 64. Apache Ranger vulnerabilities H D A E U https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide
  65. 65. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) <script>alert(1);</script> Apache Ranger XSS through UserAgent H D A E UCVE-2015-0265
  66. 66. Apache Ranger attack scenario Target an old Hadoop installation (Apache Ranger 0.4 or XA- Secure v. 3.5.001 ) Network access to Apache Ranger is necessary (either from the internet or local network) Log in with any user and password using XSS in UserAgent You don’t need to escalate privileges, you’re already an admin (after admin opens session tab) Deploy BEEF or whatsoever (CSRF script) to create users and change policies H D A E U
  67. 67. • Affected version: Apache Ranger v 0.4.0, XA Secure v. 3.5.001 • Both vulnerabilities patched in Ranger v 0.5.0 • For a while developers did a self-full-disclosure -> Apache Ranger patched
  68. 68. RANGER-284 in public Jira now H D A E U
  69. 69. RANGER-284 shortly after vendor contact H D A E U
  70. 70. DISTRIBUTIONS SPECIFICS not in every environment
  71. 71. Hadoop Distros specifics Admin ifaces external ifaces User ifaces Distribution specifics
  72. 72. Distros H D A E Uhttp://blog.cloudera.com/blog/2012/07/the-hadoop-ecosystem-visualized-in-datameer/
  73. 73. cloud based hosted locally Basic distinction
  74. 74. Distros How long does it take to create a new distro version? How many components are outdated at that time? How long does it take to deploy a new distro at a company? How many components are outdated at that time? H D A E U Most cases: • MAJOR – ca. 1 year • MINOR – ca. 3 months • PATCH – ca. 1-2 months (differs much)
  75. 75. Hortonworks HDP components by version http://hortonworks.com/hdp/whats-new/
  76. 76. Distros Old components with known issues • Old OS components (java, php, ruby, etc.) • Old OS components (e.g. old tomcat used by Oozie and HDFS) • Old Hadoop components (e.g. old Hue, Ambari, Ranger) Default passwords Default configuration H D A E U
  77. 77. vuln found (e.g. Ambari) Hadoop pached distro update deployment Vulnerability timeline Responsible Disclosure? H D A E U vuln found (e.g. jQuery) jQuery patched Django patched Hue update distro update deployment Responsible disclosure? Full disclosure? Full disclosure?
  78. 78. Distros Old components with known issues Default passwords • SSH keys configured but default passwords still work • Default mysql passwords, NO mysql passwords Default configuration H D A E U
  79. 79. Distros Old components with known issues Default passwords Default configuration • No network level hardening • No HTTP hardening (clickjacking, session mgmt, errors) • Hue uses Django with DEBUG turned on by default • „Hacking virtual appliances” by Jeremy Brown H D A E U
  80. 80. Default configurations sucks X-Frame-Options:ALLOWALL H D A E U
  81. 81. EXTERNAL INTERFACES For clients or whatsoever
  82. 82. Hadoop Distros specifics Admin ifaces external ifaces User ifaces External interfaces
  83. 83. External • More than 25 internal Apache apps/modules • Vendor/distro specific apps/interfaces • Popular monitoring: Ganglia, Splunk • Auth providers: LDAP, Kerberos, OAuth • Many apps, many targets H D A E U
  84. 84. Hadoop Hadoop Distros specifics Admin ifaces external ifaces User ifaces
  85. 85. SUMMARY ways to protect your big data environment
  86. 86. Ways to protect your Hadoop environment Excessive network access • Keep it super tight! Excessive user pesmissions Typical web vulnerabilities Obsolete software Distros dependent vulnerabilities External system connections
  87. 87. Ways to protect your Hadoop environment Excessive network access Excessive user permissions • Map business roles to permissions Typical web vulnerabilities Obsolete software Distros dependent vulnerabilities External system connections
  88. 88. Ways to protect your Hadoop environment Excessive network access Excessive user permissions Typical web vulnerabilities • Pentest it! Introduce application independent security countermeasures Obsolete software Distros dependent vulnerabilities External system connections
  89. 89. Ways to protect your Hadoop environment Excessive network access Excessive user permissions Typical web vulnerabilities Obsolete software • Make a list of all components. Monitor bugtracks and CVEs. Distros dependent vulnerabilities External system connections
  90. 90. Ways to protect your Hadoop environment Excessive network access Excessive user permissions Typical web vulnerabilities Obsolete software Distros dependent vulnerabilities • A pentest after integration is a must. Demand security from software suppliers. External system connections
  91. 91. Ways to protect your Hadoop environment Excessive network access Excessive user permissions Typical web vulnerabilities Obsolete software Distros dependent vulnerabilities External system connections • Make a list of all external system connections. Do a threat modeling and pentest corresponding systems.
  92. 92. Thank you jakub.kaluzny@securing.pl MORE THAN SECURITY TESTING Contact me for additional materials @j_kaluzny

×