Critical

lollms

Path Traversal Leading to Remote Code Execution in Extension Mounting Function

A vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function, allows for remote code execution through a path traversal bypass. This issue, identified as CVE-2024-4320, affects versions up to 5.9.0 and was patched in version 9.8.

Available publicly on Jun 22 2024

9.8

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

nhienit2010
Threat Overview

The vulnerability arises from the improper sanitization of the data.category and data.folder parameters in the /mount_extension endpoint. By submitting empty values for these parameters, attackers can manipulate the package_path to point to arbitrary locations on the server. If a config.yaml file exists in the attacker-controlled directory, it gets added to the extensions list, leading to the execution of a __init__.py file in the same directory. This file can contain malicious code, resulting in remote code execution without requiring user interaction.

Attack Scenario

An attacker first creates a config.yaml and a malicious __init__.py file containing code to be executed on the server. These files are uploaded to a location on the server that the attacker can predict or brute-force. The attacker then sends a specially crafted request to the /mount_extension endpoint with the category parameter empty and the folder parameter pointing to the directory containing the malicious files. This results in the execution of the code within __init__.py, achieving remote code execution.

Who is affected

Any installations of the parisneo/lollms software up to version 5.9.0 are vulnerable to this attack. This includes servers where the software is deployed without the patch provided in version 9.8. Users and administrators of these installations are at risk of unauthorized remote code execution on their systems.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.