-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add config for CVE-2024-22476 #63
Conversation
Hi @frkngksl. Feel free to reach out |
Sure! In the PoC, they were creating a file under the $HOME directory. Base64 encoded command is
After that just execute the following command via curl. This is only one step vulnerability.
You can verify the vulnerability from the bash terminal of the container (inside of it). PoC Video: https://drive.google.com/file/d/12DPdwmmTJhBBlX0tU-O21cidr4JGyrV7/view?usp=sharing |
Hi @frkngksl. |
Hi @leonardo-doyensec , Sorry for the inconvinience, I guess there is an issue with the base64 command. Can you try this one? It will create attack.py under the root directory (/).
|
This is still not working on my side. I've tried to change the command to write to |
Hi again @leonardo-doyensec , Let me write what I'm executing in detail. After building the Dockerfile, I'm simply executing the following command:
This opens up a bash terminal that runs inside the container. In this one, I'm executing the following command:
After executing the command, please don't close the terminal window, and send the command with the curl. After sending the curl command, in 3-4 seconds it should appear under the root directory. I could also record a video if you want because I don't know what the problem is. |
These are the exact steps that i'm doing. However even if i get |
Yes, it is working, I run the command several times. The screenshot that I provided is directly taken from my environment. How can I solve this problem for you? Do you have any suggestion? |
I'm using Ubuntu 22.04 as the development and test environment. Also, I didn't configure Docker to run without sudo. Also, when I open a bash inside the container, it is running as root. What do you think about trying the deletion of all images in your environment and get a fresh build?
|
One last note is that, this form of command execution (ie. echo | base64 --decode)) is required for the command execution. When I remove this part and execute the command (Tsunami callback payload generator command for example) directly, it was not working. |
Lastly, I have pushed my built image to hub.docker so you may try this version via the following command:
And once again what I have used as task_request is below. The vulnerability is triggered after the neural_solution accesses this github link. Therefore, you may want to test internet connectivity of the container.
I hope this works for you. If not, could you send me the backend logs under the /ns_workspace/serve_log/ ? |
Hi @frkngksl. Feel free to reach out |
Hi @leonardo-doyensec , glad to hear that! I committed the changes that you requested. |
Thank you for your changes @frkngksl. I would highly recommend to put the steps to trigger the vulnerability in the vulnerable section, instead of the safe one. |
Hi @leonardo-doyensec , I thought that opening a new subsection for triggering the vulnerability would be more appropriate. I sent the commit, what do you think? |
Hi, i think that is crystal clear |
Hi,
This is vulnerable environment for CVE-2024-22476. Related issue is google/tsunami-security-scanner-plugins#494