Auth Bypass to RCE in Airflow

[am0o0]

Hi, it is according to this PRP issue https://github.com/google/tsunami-security-scanner-plugins/issues/428

[maoning]

@am0o0 Please update your PR according to the feedback, so that we can merge your PR in asap.

[am0o0]

Hi, @leonardo-doyensec, apologize for the delay.

[leonardo-doyensec]

Hi @am0o0 , thank you for your changes. However after the last commits, the plugins no longer builds.

~ Leonardo (Doyensec)

[am0o0]

@leonardo-doyensec I fixed the issue.

[leonardo-doyensec]

LGTM - Approved @maoning you can merge it.

Reviewer: Leonardo, Doyensec

Plugin: Auth Bypass Lead to RCE in Apache Airflow Feedback: The overall quality is good. The security testbed was easy to deploy. Although some aspects of the formatting were missing, the plugin detection and exploitation phases were nicely done. Drawbacks: None

[maoning]

@am0o0 Could you check if the vulnerable configuration of the service recorded at https://github.com/google/security-testbeds/blob/6022938f728d5114f4b9c1d55bb498872018bd03/apache/airflow/CVE-2020-17526/README.md is still working as intended. I tried to do the manual verification and run the plugin, neither works.

[am0o0]

@maoning as this PR took one and half months to be reviewed there is a benefit for this :) the sessions will expire after a while and I can't set the expiration date anyway. but the good news and the most interesting part is that I found a very helpful burp suite extension that can be used to sign and unsign different kinds of tokens like Flask session tokens Django session tokens Expressjs session tokens and more. I copied parts of the crypto signer that we need to generate a fresh session cookie signed by a constant secret key each time.

the source code of the burp suite plugin: https://github.com/d0ge/sign-saboteur/blob/main/src/main/java/one/d4d/signsaboteur/itsdangerous/crypto/DangerousTokenSigner.java

if you are interested as a bounty PRP I can wrap all of these into very simple and smaller Java classes because it is really helpful. After all, we have submissions that need to sign a flask session key with a constant secret key.

you can look at the TokenSigner class as an example of what I'm explaining.

[am0o0]

How did you choose the value of 25 here?

The 10 seconds was the time to get an out-of-band callback for a fresh server, so I thought it should be more for an airflow application with multiple deployments.

[tooryx]

Ack, thank you! I will give a try at the guice change when I have a bit of time (probably early next week) and come back to you. Otherwise we will just reduce the value so that unit tests pass.

[tooryx]

Hi @am0o0,

I found a plugin that you can use to implement the Guice injection. See the phpunit detector

Here are the required steps:

1. You need to define an annotation for the wait time that will be used in the plugin, see Annotations.java
2. You will need to define a provider for this value, in the BootstrapModule
3. Ensure that the parameter is injected in the Detector
4. You will then be able to bind a specific value in the tests

Let me know if you encounter any issue in the process.

Cheers, ~tooryx

[am0o0]

@tooryx thank you a lot for helping me on this!

[tooryx]

Thank you for your work on this @am0o0. I asked a second member of the team to take a quick look. I expect this should be merged before the end of the week.

Cheers, ~tooryx

[tooryx]

Hi @am0o0,

Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.

Thanks!