AI PRP: Arbitrary File Read in mlflow CVE-2023-6977

[frkngksl]

Hi,

I want to develop a plugin for mlflow LFI - CVE-2023-6977.

Vulnerability Information: This vulnerability enables malicious users to read sensitive files on the server.

Vulnerable Versions are below the 2.9.2

References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-6977
• https://github.com/mlflow/mlflow/commit/4bd7f27c810ba7487d53ed5ef1038fca0f8dc28c
• https://huntr.com/bounties/fe53bf71-3687-4711-90df-c26172880aaf

The vulnerability requires three HTTP requests one is GET and the other two are POST. After creating a model, by using a symlink, one can read files on the filesystem.

Actually, after sending an AI PRP for a CVE that already exists on the Tsunami, I searched this CVE code on the repository checked the issues, and found nothing. I hope it is not found in the Tsunami and this is not a duplicated issue.

[tooryx]

Hi @frkngksl,

We already have a plugin that detects CVE-2023-1177 which seems to be the previous version of that vulnerability. Could you:

1. Confirm that our understanding is correct (CVE-2023-6977 is a bypass of the mitigation implemented for CVE-2023-1177);
2. Perform the modification directly to the existing plugin as it looks like this version encompass the previous one as well.
3. Change the README accordingly to mention that this covers both vulnerabilities

Let me know if you are interested. This would qualify for a slightly lower bounty though.

Cheers, ~tooryx

[frkngksl]

Hi @tooryx,

I could implement and compine it with the existing plugin, but I applied for #429 . Since you said that this PRP is lower bounty, could I take these two together?

[tooryx]

Hi @frkngksl,

I did not really track the status of #429, so I do not know who it will be assigned to. But you can start working on this one, given its size, it should be fairly quick.

Cheers, ~tooryx

[frkngksl]

Okay then, I will start with this one. Will you send me a submission link to track the progress?

[tooryx]

Please submit our participation form and you can start working on the development.

Thanks! ~tooryx

[frkngksl]

Hi @tooryx , Do you want me to also add CVE-2023-2780 ? As far as I understand from the first glance, it is another bypass for CVE-2023-1177. It can be thought as the same category with the CVE-2023-6977. Maybe it might help to increase the bounty amount too?

Ref: https://huntr.com/bounties/b12b0073-0bb0-4bd1-8fc2-ec7f17fd7689

[frkngksl]

Hi @tooryx, I have one more question. In terms of modifying the plugin, do you expect that this plugin will create three (if you accept the above one) different detection reports that state CVEs seperately? Or should I just add these three different types of LFI methods and return the current report (CVE-2023-1177, current version of the code) for all of them (not mentioning their CVEs specifically)? I'm a bit confused because all mentioned CVEs have three HTTP requests, and only the first ones are the same.

Also, it should be noted that one version of Mlflow can be vulnerable to three assigned vulnerabilities at the same time. Tested and observed with version 2.1.0.

Therefore, I'm not sure how to edit the following code block for multiple CVEs according to your standarts

@Override
  public DetectionReportList detect(
      TargetInfo targetInfo, ImmutableList<NetworkService> matchedServices) {
    logger.atInfo().log("CVE-2023-1177 starts detecting.");

    return DetectionReportList.newBuilder()
        .addAllDetectionReports(
            matchedServices.stream()
                .filter(NetworkServiceUtils::isWebService)
                .filter(this::isServiceVulnerable)
                .map(networkService -> buildDetectionReport(targetInfo, networkService))
                .collect(toImmutableList()))
        .build();
  }

[tooryx]

Hi @frkngksl,

My understanding is that: the original advisory (CVE-2023-1177) had two bypasses CVE-2023-2780 and CVE-2023-6977. CVE-2023-6977 is the latest one and contains the two others. Do you see any added value in checking CVE-2023-2780 separately? It does not seem necessary to me, unless each bypass is possible only after the previous patch, then we might need different plugins.

As for detection report, just detecting the latest bypass and reporting it should be sufficient (still if the latest one contains the two other).

[frkngksl]

Hi @tooryx,

I understand your point better now, thank you so much. Although used techniques are different in these bypasses (CVE-2023-2780 uses a flaw in the patch, and CVE-2023-6977 uses a symlink to bypass these two patches), when somebody uses CVE-2023-6977, they can read system files until the version 2.9.2 (others are fixed earlier) because it was possible even before the patches and it is related to the same endpoints. So, I will edit the plugin so that it will detect and try CVE-2023-6977 case and mentions about this detail in the README file.

Cheers!

[frkngksl]

Hi @tooryx ,

Just one more question, I'm planning to change class names too because it will check for CVE-2023-6977 now. Are you okay with that right? Sorry for disturbing you a lot about this issue.

[tooryx]

No problem with that

~tooryx

[frkngksl]

Hi @tooryx , I guess this issue is closed after the successfull merge. Can you help me to get a new PRP based on my issues in the queue? They are #454 and #494 . I guess the Intel RCE one is a very critical thing.