Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create CVE-2023-47248.yaml #11401

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create CVE-2023-47248.yaml #11401

wants to merge 1 commit into from
+68 −0

Conversation

smolse
Copy link

@smolse smolse commented Dec 21, 2024

Template / PR Information

Hello,

I have been recently tinkering with CVE-2023-47248 and along the way created a Nuclei template, which I would like to share with the community.

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

I have created a Docker-based environment for exposing vulnerable services (a simple custom Arrow Flights service as well as a vulnerable instance of TabPy that uses PyArrow under the hood) and running Nuclei against them for validation: https://github.com/smolse/poc-or-gtfo/tree/main/CVE-2023-47248/poc_flight.

First, simply start Docker services from the Docker Compose setup:

$ docker-compose up -d
[+] Building 0.0s (0/0)
[+] Running 3/0
 ✔ Container attacker            Running 
 ✔ Container vulnerable-service  Running
 ✔ Container vulnerable-tabpy    Running

Then in the Nuclei templates repo:

$ nuclei -fh2 -t http/cves/2023/CVE-2023-47248.yaml -u https://localhost:5005  

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.7

                projectdiscovery.io

[INF] Current nuclei version: v3.3.7 (latest)
[INF] Current nuclei-templates version: v10.1.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 114
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2023-47248] [http] [critical] https://localhost:5005/arrow.flight.protocol.FlightService/DoPut

nuclei -fh2 -t http/cves/2023/CVE-2023-47248.yaml -u https://localhost:13622

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.3.7

                projectdiscovery.io

[INF] Current nuclei version: v3.3.7 (latest)
[INF] Current nuclei-templates version: v10.1.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 114
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2023-47248] [http] [critical] https://localhost:13622/arrow.flight.protocol.FlightService/DoPut

If you update the Docker images of the vulnerable services to use PyArrow version >=14.0.1, then the template won't produce a detection.

Note

This template works only against the HTTPS targets and requires the -force-http2 flag to be set in Nuclei.

Additional References:

@GeorginaReeder
Copy link

Thanks so much for your contribution @smolse ! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smolse @GeorginaReeder