Arbitrary File Write Affecting org.apache.hive:hive-hplsql package, versions [2.1.0,2.3.3)


0.0
low

Snyk CVSS

    Attack Complexity High

    Threat Intelligence

    EPSS 0.16% (51st percentile)
Expand this section
NVD
3.7 low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGAPACHEHIVE-460761
  • published 4 Apr 2018
  • disclosed 4 Apr 2018
  • credit Snyk Security Research Team

How to fix?

Upgrade org.apache.hive:hive-hplsql to version 2.3.3 or higher.

Overview

org.apache.hive:hive-hplsql is a data warehouse software facilitates reading, writing, and managing large datasets residing in distributed storage using SQL.

Affected versions of this package are vulnerable to Arbitrary File Write via the File Transfer Protocol (FTP) client functionality. Hive gives an SQL-like interface to query data stored in various databases and file systems that integrate with Hadoop. Among other things, it supports copying data from FTP servers, using the COPY-FROM-FTP command.

COPY FROM FTP host [USER user [PWD password]] [DIR directory] [FILES files_wildcard]
  [TO [LOCAL] target_directory] [options]

options: OVERWRITE | NEW SUBDIR SESSIONS num

A possible attack can be overriding the ssh authorized_keys file for the root user, making it possible to login as root later on. Assumming that Apache Hive instance connects to the attacker's malicious FTP server, to download some merchant data daily, by using the following query:

COPY FROM FTP remote.merchant.domain.com
  USER 'foo' PWD '***'
  DIR data/sales/in FILES  '.*'
  TO /data/sales/raw OVERWRITE

The malicious FTP server would send back path traversal filenames to the client. For instance, responding to a LIST command with ../../../../../../../home/root/.ssh/authorized_keys.

When Hive executes the above statement (assuming it’s running as root), root’s authorized_keys ssh file will be overwritten with one known by the attacker.

Details

FTP is a standard network protocol used to transfer files between a client and server. Out of the box, it does not offer a download folder command, but it does allow the following:

  1. Listing all of the files in a remote folder (LIST or NLST FTP commands)
  2. For each file in the list results above: Download the file and save it to a local folder (GET or MGET FTP commands)

The following is an example of some Java code downloading a folder, using the Apache commons-net library:

private void downloadDirectory(FTPClient ftpClient, String remoteDir, String localDir) throws IOException
{
  FTPFile[] subFiles = ftpClient.listFiles(remoteDir);
  for (FTPFile aFile : subFiles)
  {
    if (!aFile.isDirectory())
    {
       String remoteFile = ftpClient.printWorkingDirectory() + File.separator + aFile.getName();
       String localFile = localDir + File.separator + aFile.getName();

   OutputStream downloadedStream = new BufferedOutputStream(new FileOutputStream(new File(localFile)));
   boolean success = ftpClient.retrieveFile(remoteFile, downloadedStream);
   outputStream.close();			
}

} }

The code above, iterates over each file returned by the server, and downloads it into a local destination folder. So for example, if the first file in the remote folder is named passwd, and the local destination folder is /var/data/sync/, it'd end up downloading the file to /var/data/sync/passwd.

But if the FTP server turns malicious, and instead of responding to the LIST command with passwd, it responds with ../../../../etc/passwd as the filename. The code above will end up placing the file into /var/data/sync/../../../../etc/passwd, practically overwriting /etc/passwd with the newly downloaded file.

For more information you can check out our blog post.

Disclosure Timeline

Date Event
2/11/2017 Vulnerability discovered by Snyk Security Research
8/11/2017 List of affected Apache products disclosed to the foundation.
5/2/2018 Apache informed us that they plan to release a fixed version by the end of February.
4/4/2018 Post published.
4/4/2018 Vulnerability published.