AI PRP: BentoML Insecure Deserialization RCE

[secureness]

reference: https://github.com/protectai/ai-exploits/blob/main/bentoml/README.md
I think it is easy to exploit but I must find a solution to create a python pickle easily with java.

[secureness]

is it possible to write this plugin in Python, because we need to use the pickle function to serialize the payload with Python?

[maoning]

is it possible to write this plugin in Python, because we need to use the pickle function to serialize the payload with Python?

I'm currently working on creating a setup script to run python Tsunami plugins with the main Java program, I will update here once it's ready.

[maoning]

@secureness you can now test out python plugins using https://github.com/google/tsunami-security-scanner/blob/master/quick_start_advanced.sh

The script is not thoroughly tested, let me know if you run into any issues.

[secureness]

@maoning someone said in comments of the CVE report in huntr.dev that only versions between 1.2.0 - 1.2.4 are vulnerable, I haven't tested other versions myself yet, do you accept this as a PRP?

[maoning]

@secureness Could you also check for exposed BentoML API (report it as a medium severity finding) in addition to the RCE vuln (report it as a critical finding)? For exposed BentoML API, the worst thing could happen is that the inference service can queried by anyone right? Is there any interesting API endpoints that have additional security risks?

[secureness]

@maoning we can check for a specific swagger UI with a Title containing the bentoML: https://docs.bentoml.com/en/latest/bentocloud/how-tos/call-deployment-endpoints.html#interact-with-the-deployment

we need to know at least one of the HTTP endpoints from Swagger UI to send a pickled payload to that endpoint to exploit the CVE.

So, the logic is this: first check for an exposed swagger UI and find an HTTP endpoint from the UI, and finally exploit the CVE, report the CVE and exposed UI otherwise only report the exposed UI.

[maoning]

@secureness sounds good, you can proceed forward with this plugin. As exposed API doesn't leads to RCE, let's leave it out of the implementation (After discussing with the team, we think it is better for Tsunami to only focus on RCE vulns).

Please complete the following:

• submit the vulnerable configuration of the target application to google/security-testbeds.submit the vulnerable configuration of the target application to google/security-testbeds.
• submit our participation form and you can start working on the development.submit our participation form and you can start working on the development.

[maoning]

@secureness I want to check on the status of this issue. Please let me know if you have any updates.

[secureness]

Oh, I was waiting for this PR status which is not finalized yet:
#491

[tooryx]

Hi @secureness,

Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.

Thanks!