Apache DolphinScheduler Default Credentials Tester with RCE

[hayageek]

Hi @tooryx ,
This is the PR for Apache DolphinScheduler Default Credentials Tester with RCE. Related issue: #531
Additionally, I have created a PR in security-testbeds that includes the README and POC. This is the PR: google/security-testbeds#192

I have used the below command to test:

java -cp "main/build/libs/tsunami-main-0.1.1-SNAPSHOT.jar:plugins/*" -Dflogger.level=DEBUG com.google.tsunami.main.cli.TsunamiCli   --uri-target=http://127.0.0.1:12345   --scan-results-local-output-filename=out.json     --scan-results-local-output-format=JSON --callback-address=192.168.0.104 --callback-port=8881 --callback-polling-uri=http://127.0.0.1:8880

Here is the screenshot:

[robert-doyensec]

Hi @hayageek , I'm having issues building the plugin due to failing tests.
There are a few issues I think I see with the tests and plugin:

• You simulate a Java Gateway server that executes commands -- instead of actually executing the payload, you should just return a response as if it was executed. The way it's currently set up, there is one successful callback response queued, but this response is taken by the RCE interaction and then the socket is closed before the polling request is made.
• Please bind the Java Gateway server in the tests to localhost.
• For fingerprinting dolphin scheduler, there are multiple paths tried String[] paths = {"", "dolphinscheduler", "dolphinscheduler/ui","dolphinscheduler/ui/login"}; and only one response returned in the mock web server. The socket is closed before the other paths are tried, resulting in a failing test. You should make the mock server respond to each one.
• Please use the INFO logging level instead of WARNING for anything that is expected, such as logger.atWarning().log("Failed to authenticate with Java Gateway."); for the secure case.

There may be some more changes required -- for now please make these changes and ensure that the plugin builds so that the rest can be evaluated more.

[hayageek]

Hi @robert-doyensec , I have implemented the code review comments.

[robert-doyensec]

Hi @hayageek, can you run google-java-format on each of the Java files (including the tests file)?

[hayageek]

Hi @robert-doyensec , I formatted the java files with google-java-format

[robert-doyensec]

LGTM - Approved
@tooryx , this can be merged alongside google/security-testbeds#192 .

Reviewer: Robert, Doyensec
Plugin: Apache DolphinScheduler Default Credentials Tester with RCE
Drawbacks:

• The way this works is by checking if the web server reported from the nmap scan is DolphinScheduler, then trying a default Java Gateway port with default credentials. If the port has been changed, it might result in false negatives, however, if the port of the Java Gateway is changed, it's likely that the credentials would not be the default credentials anyway.
• In the build tests, it launches a mock Java Gateway server which is bound to localhost and pretends to be the Java Gateway without executing the commands. I believe this is okay and not so different from the existing mock web server.