AI PRP: Request CVE-2020-17526 Auth Bypass in Airflow

[maoning]

https://github.com/projectdiscovery/nuclei-templates/blob/b686b1aea279093c30b35486db65a0e9917b66c4/http/cves/2020/CVE-2020-17526.yaml#L4

Please chain the Nuclei template with better verification like triggering a OOB callback.

Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.

[am0o0]

Hi, I would like to start working on writing a plugin.

[maoning]

Hi @am0o0 ,

Thank you for picking up this request! Please make sure the following items are completed before the plugin implementation:

• [x] Conduct vulnerability research with a brief description of how the plugin would work
• [x] Submit the vulnerable configuration of the target application to google/security-testbeds.

[am0o0]

the easy part was the setup the vulnerable version and bypass the authentication, the hard part was the RCE :))

I exploited one of the default DAGs with the name example_trigger_target_dag and inserted my parameter when I wanted to trigger the DAG.

I tested the OOB callback and everything is fine and quick.

[am0o0]

@maoning I think you forgot about his submission, can I start working on this? did I provide what you want as "vulnerability research" in the desired way?

[maoning]

@am0o0 Providing more details in the vulnerability research could help make the review process faster. Could you add the network requests you used to do the auth bypass as well as OOB request triggering? Thanks!

[maoning]

I see a few users are set in the configuration, there are airflow user, postgres and redis user. Do you know if the ones you have for the security-testbeds are the default ones mentioned by the official documentation or they are only from the vulnhub config?

[am0o0]

add the network requests you used to do the auth bypass as well as OOB request triggering?

it is added now! sorry I didn't automate it, you need a little bit copy and replace.

I see a few users are set in the configuration, there are airflow user, postgres and redis user. Do you know if the ones you have for the security-testbeds are the default ones mentioned by the official documentation or they are only from the vulnhub config?

there is no need to know about default configuration, the only thing that we need is the user with id 1 which is admin, and the Python script creates it for us automatically. we can test for user_ids with number 2, 3 and more but 1 must be exist.

[am0o0]

update: the first user can be a regular user because a regular user can trigger the vulnerable DAG for testing the OOB.

[maoning]

@am0o0 Please submit our participation form and you can start working on the development.

[am0o0]

Oh, @maoning there is already a plugin request exactly for what I did here, the post-authentication RCE has assigned by a CVE that in following issue is mentioned :) but I found it myself again here.

https://github.com/google/tsunami-security-scanner-plugins/issues/400

I can implement a plugin with RCE payload and callback instead of only checking the auth-bypass in mentioned issue.

[maoning]

@am0o0 Thank you for bringing this to my attention. The #400 escaped my notice because it is under a different CVE. I agree that these 2 plugins overlap, and I would like to merge in the one with RCE verification. You can continue with the implementation.

[tooryx]

Hi @am0o0,

This contribution has been merged and the panel has decided on the reward. You should receive an update on the tracker in a few minutes.

~tooryx