Internet Bug Bounty: CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag


Apache Airflow Docker's Provider shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. ##Vulnerability summary: In DAG script of airflow 2.3.3, there is a command injection vulnerability (RCE) in the script (example_docker_copy_data.py of docker provider), which can obtain the permission of the operating system. source path: airflow-2.3.3/airflow/providers/docker/example_dags/example_docker_copy_data.py ##Vulnerability details: (1) Vulnerability principle: 1. It can be seen from the source code of example_docker_copy_data.py script that there is the function of executing bash command, The parameter ‘source_location’ in the template expression {{params.source_location}} is externally controllable and rendered through the jiaja2 template: {F1869746} 2. Further analysis “from airflow.operators.bash import BashOperator” code, we can see bash_command parameter value will be executed as a bash script; {F1869748} (2)Vulnerability exploit: 1. Enter the DAGs menu and start docker_sample_copy_data task, select “Trigger DAG w/ config”. {F1869749} 2. To construct payload, we can separate commands with ‘;’, so as to inject any operating system commands to be executed(RCE). {F1869750} PAYLOAD:```{"source_location":";touch /tmp/thisistest;"}```, Then click trigger to execute the task. {F1869755} The final command is as follows: ```locate_file_cmd = “”” sleep 10 find ;touch /tmp/thisistest; -type f -printf “%f\n” | head -1 “”” ``` Through the log and server view, it can be seen that arbitrary command has been executed successfully. {F1869756} {F1869757} ## Impact An attacker can execute arbitrary commands on the airflow host.