🕵️ Internet Bug Bounty: CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag
Nachrichtenbereich: 🕵️ Sicherheitslücken
🔗 Quelle: vulners.com
Apache Airflow Docker's Provider shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host. Vulnerability summary: In DAG script of airflow 2.3.3, there is a command injection vulnerability (RCE) in the script (example_docker_copy_data.py of docker provider), which can obtain the permission of the operating system. source path: airflow-2.3.3/airflow/providers/docker/example_dags/example_docker_copy_data.py Vulnerability details: (1) Vulnerability principle: 1. It can be seen from the source code of example_docker_copy_data.py script that there is the function of executing bash command, The parameter ‘source_location’ in the template expression {{params.source_location}} is externally controllable and rendered through the jiaja2 template: {F1869746} Further analysis “from airflow.operators.bash import BashOperator” code, we can see bash_command parameter value will be executed as a bash script; {F1869748} (2)Vulnerability exploit: 1. Enter the DAGs menu and start docker_sample_copy_data task, select “Trigger DAG w/ config”. http://192.168.3.17:8080/trigger?dag_id=docker_sample_copy_data {F1869749} To construct payload, we can separate commands with ‘;’, so as to inject any operating system commands to be executed(RCE). {F1869750} PAYLOAD:{"source_location":";touch /tmp/thisistest;"}, Then click trigger to execute the task. {F1869755} The final command is as follows: locate_file_cmd = “”” sleep 10 find... ...