By: Walker Rowe, June 02, 2017 (06:10 AM)

Jupyter and Zeppelin: The Most Dangerous Web Interfaces

Data scientists and big data programmers are familiar with Jupyter (formerly iPython) and Zeppelin. These are excellent programming tools because you can write code in a wide variety of languages and execute it right on a web page.  And it connects easily to Spark and Hadoop environments.  But from a security point of view, they can be quite dangerous as by default these are installed without any authorization.  Below we show how easy it is to get a root shell with Zeppelin.

Jupyter and Zeppelin are not just IDEs.  They support markdown and graphs.  Markdown is the same syntax that you use on Github to create headings, bulleted lists, hyperlinks, etc.  So with that you can create stunning live web pages to run analytics against Spark or Hadoop or just run queries or any kind of code and display the results in a self-documenting table or graph.  To do that you program the code, then hide the code editor, then give your users access to the web page.

These notebooks let you mix different languages in the same web page.  For example, in Jupyter we can add the sh shell below by adding a new note (i.e., blank line for code) and telling it to use sh interpreter.:

We then enter the command whoami and click the arrow to run.  As you can see we now have root access to this machine.

Fortunately, most people working with these notebooks will not have them exposed to the internet.  Most likely they would have installed it on their desktop or a node in a Spark or Hadoop cluster.

Either way they need to put a password on that.  With Zeppelin you do that in:

$ZEPPELIN_HOME/conf/shiro.ini.
Rem out anonymous access and turn on authentication:
#/** = anon
/** = authc

Then add users under the [users] section and roles:

admin = password, admin

Walker Rowe

Walker Rowe is an American freelance tech writer and programmer living in Chile. He specializes in big data analytics, cybersecurity, and IoT and publishes the website SouthernPacificReview.com.

Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies