Escolar Documentos
Profissional Documentos
Cultura Documentos
Researcher
Hadoop, FOREX, MFP printers, proprietary network
protocols
Agenda
standard user
admin
admin user
privileges
WHAT IS HADOOP?
Know your target
Normal database
hMp://hackaday.com/2014/04/04/sql-injec6on-fools-speed-traps-and-clears-your-record/
Still normal database scenario
hMp://hococonnect.blogspot.com/2015/06/red-light-cameras-in-columbia.html
hMp://hackaday.com/2014/04/04/sql-injec6on-fools-speed-traps-and-clears-your-record/ hMp://8z4.net/images/ocr-technology
Clear rules
Clear target
Anegdote
hMp://veprime.org/blackmagic.cgi?id=7007203773
hMps://www.ickr.com/photos/photonquan6que/2596581870/
Hadoop architecture schema
More on Hadoop
Hadoop injection points
Hadoop scenario
hMp://bigdataanaly6csnews.com/tag/hortonworks/
hMps://www.ickr.com/photos/madmadla/8349565473
hMps://en.wikipedia.org/wiki/Moneygami
What is a lot of data?
hMps://plus.google.com/+Magiccardtrickszone6ps
RISK ANALYSIS
Know your threats
Risk analysis
Technical perspective:
External aMacker
Anonymous
Ex-employee
Insider
Exployee (with some rights in Hadoop): user, admin
Infected machine, APT
Risk analysis
Privilege escala6on
Authen6ca6on bypass
Abuse
DoS
Data tampering
Risk analysis
hMps://en.wikipedia.org/wiki/Dowsing#Rods
WHAT HADOOP
REALLY IS
under sales-magic-cloud-big-data cover
Typical architecture
hMp://thebigdatablog.weebly.com/blog/the-hadoop-ecosystem-overview
Apache Hue
hMp://techbusinessintelligence.blogspot.com/2014/11/tableau-sokware-cloudera-hadoop.html
Hadoop injection points
Distros
specics
User Admin
Hadoop
ifaces ifaces
external
ifaces
OUR STORY WITH
BIG DATA
ASSESSMENT
a.k.a. crash course on hacking big data environments
Interfaces
Distros
specics
User Admin
Hadoop
ifaces ifaces
external
ifaces
USER INTERFACES
Distros
specics
User Admin
Hadoop
ifaces ifaces
external
ifaces
User interfaces
Apache Hue
Pig, Hive, Impala, Hbase, Zookeeper, Mahout, Oozie
Other
Tez, Solr, Slider, Spark, Phoenix, Accummulo, Storm
U H A
E
Is Hue an internal interface?
hMp://9gag.com/gag/awrwVL1/hue-hue-hue
U H A
E
Apache Hue overview
U H A
hMp://gethue.com/ E
Apache Hue DOM XSS
Distros
specics
User Admin
Hadoop
ifaces ifaces
external
ifaces
Admin interfaces
Apache Ambari
Provisioning, monitoring
Apache Ranger
Security: authoriza6on, authen6ca6on, audi6ng, data encryp6on, administra6on
Other
Knox, Cloudbreak, Zookeeper, Falcon, Atlas, Sqoop, Flume, Kapa
U H A
E
Apache Ambari
Troch o Ambari
D
hMp://www.slideshare.net/hortonworks/ambari-using-a-local-repository?next_slideshow=1
U H A
E
Apache Ambari
U H A
hMp://www.slideshare.net/hortonworks/ambari-using-a-local-repository?next_slideshow=1
E
Is Ambari an internal interface?
hMp://knowyourmeme.com/memes/facepalm
U H A
E
Apache Ambari
U H A
E
Apache Ambari REST API proxy
Standard request:
/proxy?url=http://XXXXXXXXX:8188/ws/v1/
timeline/HIVE_QUERY_ID?
limit=1&secondaryFilter=tez:true&_=142418001
6625
Tampered request (logs accessible only
from DMZ):
/proxy?url=http://google.com
/proxy?url=http://XXXXXXX:8088/logs D
/proxy?url=http://XXXXXXX:8088/logs/yarn-
U H A
yarn-resourcemanager-XXXXXXX.log
E
Apache Ambari Server Side Request Forgery
CVE-2015-1775 U H A
E
Apache Ambari attack scenario
U H A
E
Admin interfaces
Distros
specics
User Admin
Hadoop
ifaces ifaces
external
ifaces
Apache Ranger overview
Previously: Apache Argus, XA-Secure
U H A
hMp://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Sys_Admin_Guides/content/
ref-746ce51a-9bdc-4fef-85a6-69564089a8a6.1.html
E
Apache Ranger overview
hMp://hortonworks.com/blog/best-prac6ces-for-hive-authoriza6on-using-apache-ranger-in-hdp-2-2/ U H A
E
Apache Ranger
U H A
E
Missing function level access control
CVE-2015-0266
U H A
E
Apache Ranger attack scenario
Target an old Hadoop installa6on (Apache Ranger 0.4 or XA-Secure v.
3.5.001 )
U H A
E
Apache Ranger vulnerabilities
D
hMps://cwiki.apache.org/conuence/display/RANGER/Apache+Ranger+0.5+-+User+Guide
U H A
E
Apache Ranger XSS through UserAgent
User-Agent: Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0) <script>alert(1);</
script>
CVE-2015-0265 U H A
E
Apache Ranger attack scenario
Target an old Hadoop installa6on (Apache Ranger 0.4 or XA-
Secure v. 3.5.001 )
U H A
E
Apache Ranger patched
U H A
E
RANGER-284 shortly after vendor contact
U H A
E
DISTRIBUTIONS
SPECIFICS
not in every environment
Distribution specifics
Distros
specics
User Admin
Hadoop
ifaces ifaces
external
ifaces
Distros
hMp://blog.cloudera.com/blog/2012/07/the-hadoop-ecosystem-visualized-in-datameer/ U H A
E
Basic distinction
cloud hosted
based locally
Distros
Most cases:
MAJOR ca. 1 year
MINOR ca. 3 months
D
PATCH ca. 1-2 months (differs much)
U H A
E
Hortonworks HDP components by version
hMp://hortonworks.com/hdp/whats-new/
Distros
Default congura6on
D
U H A
E
Vulnerability timeline
Full Responsible
disclosure? Disclosure?
D
Full Responsible
disclosure? disclosure? U H A
E
Distros
Default passwords
SSH keys congured but default passwords s6ll work
Default mysql passwords, NO mysql passwords
Default congura6on
U H A
E
Distros
Default passwords
Default congura6on
No network level hardening
No HTTP hardening (clickjacking, session mgmt, errors)
Hue uses Django with DEBUG turned on by default
Hacking virtual appliances by Jeremy Brown D
U H A
E
Default configurations sucks
X-Frame-Options:ALLOWALL
U H A
E
EXTERNAL
INTERFACES
For clients or whatsoever
External interfaces
Distros
specics
User Admin
Hadoop
ifaces ifaces
external
ifaces
External
U H A
E
Hadoop
Distros
specics
User Admin
Hadoop
ifaces ifaces
external
ifaces
SUMMARY
ways to protect your big data environment
Ways to protect your Hadoop environment
Obsolete sokware
Obsolete sokware
Obsolete sokware
Obsolete sokware
Make a list of all components. Monitor bugtracks and CVEs.
Obsolete sokware
Obsolete sokware
Thank you