AI PRP: BentoML Insecure Deserialization RCE #482
Comments
|
is it possible to write this plugin in Python, because we need to use the pickle function to serialize the payload with Python? |
I'm currently working on creating a setup script to run python Tsunami plugins with the main Java program, I will update here once it's ready. |
tooryx
added
the
Contributor queue
|
@secureness you can now test out python plugins using https://github.com/google/tsunami-security-scanner/blob/master/quick_start_advanced.sh The script is not thoroughly tested, let me know if you run into any issues. |
|
@maoning someone said in comments of the CVE report in |
|
@secureness Could you also check for exposed BentoML API (report it as a medium severity finding) in addition to the RCE vuln (report it as a critical finding)? For exposed BentoML API, the worst thing could happen is that the inference service can queried by anyone right? Is there any interesting API endpoints that have additional security risks? |
|
@maoning we can check for a specific swagger UI with a Title containing the bentoML: https://docs.bentoml.com/en/latest/bentocloud/how-tos/call-deployment-endpoints.html#interact-with-the-deployment we need to know at least one of the HTTP endpoints from Swagger UI to send a pickled payload to that endpoint to exploit the CVE. So, the logic is this: first check for an exposed swagger UI and find an HTTP endpoint from the UI, finally exploit the CVE report the CVE and exposed UI otherwise just report the exposed UI. |
reference: https://github.com/protectai/ai-exploits/blob/main/bentoml/README.md
I think it is easy to exploit but I must find a solution to create a python pickle easily with java.
The text was updated successfully, but these errors were encountered: