Remote Code Execution via Arbitrary File Manipulation in Logging Interface
A vulnerability in the Triton Inference Server allows arbitrary file creation or appending through the `/v2/logging` interface by specifying an absolute path in the `log_file` parameter. This issue, present in version r23.04, was patched in version 24.04. It enables attackers to execute arbitrary code by manipulating server files such as `root/.bashrc`.
Available publicly on May 18 2024 | Available with Premium on May 17 2024
Threat Overview
The vulnerability stems from the logging configuration interface (/v2/logging
) of the Triton Inference Server, which improperly handles user input for the log_file
parameter. This flaw allows attackers to specify an absolute path for log file output, leading to arbitrary file creation, appending, or overwriting. By exploiting this, an attacker can inject malicious commands into critical system files or scripts, which are executed by the server, potentially leading to remote code execution. The exploitation technique is similar to that described in CVE-2023-31036, highlighting the severity and practicality of this vulnerability.
Attack Scenario
An attacker starts by sending a specially crafted request to the /v2/logging
endpoint of the Triton server, specifying a critical system file (e.g., /root/.bashrc
) as the target for log output. The attacker then triggers log events that append malicious commands to the targeted file. Once the file is executed (e.g., on server reboot or manual execution), the attacker's code runs, achieving remote code execution. This scenario assumes the attacker has network access to the Triton server's logging interface.
Who is affected
This vulnerability affects administrators and users of the Triton Inference Server version r23.04. Specifically, systems where the Triton server is accessible to untrusted networks or users are at heightened risk, as this vulnerability could be exploited to gain unauthorized access or control over the server.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.