-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AI PRP: BentoML Insecure Deserialization RCE #482
Comments
is it possible to write this plugin in Python, because we need to use the pickle function to serialize the payload with Python? |
I'm currently working on creating a setup script to run python Tsunami plugins with the main Java program, I will update here once it's ready. |
@secureness you can now test out python plugins using https://github.com/google/tsunami-security-scanner/blob/master/quick_start_advanced.sh The script is not thoroughly tested, let me know if you run into any issues. |
@maoning someone said in comments of the CVE report in |
@secureness Could you also check for exposed BentoML API (report it as a medium severity finding) in addition to the RCE vuln (report it as a critical finding)? For exposed BentoML API, the worst thing could happen is that the inference service can queried by anyone right? Is there any interesting API endpoints that have additional security risks? |
@maoning we can check for a specific swagger UI with a Title containing the bentoML: https://docs.bentoml.com/en/latest/bentocloud/how-tos/call-deployment-endpoints.html#interact-with-the-deployment we need to know at least one of the HTTP endpoints from Swagger UI to send a pickled payload to that endpoint to exploit the CVE. So, the logic is this: first check for an exposed swagger UI and find an HTTP endpoint from the UI, finally exploit the CVE report the CVE and exposed UI otherwise just report the exposed UI. |
reference: https://github.com/protectai/ai-exploits/blob/main/bentoml/README.md
I think it is easy to exploit but I must find a solution to create a python pickle easily with java.
The text was updated successfully, but these errors were encountered: