Path Traversal using C:.. allows to break out of root directory on Windows in mlflow/mlflow
Aug 9th 2023
In https://github.com/mlflow/mlflow/blob/d2f34c39c97f342e238a2d87a1c288cee825fcbe/mlflow/server/handlers.py#L525. The checks can be bypassed using
If you don't know what starting a path on Windows with C: does, basically if a path starts with C: on Windows then we treat is such that we remove the drive letter and colon from the beginning. For instance a path
C:../.ssh/id_rsa will get converted to
../.ssh/id_rsa. As such we can break out of the root dirrectory up to 1 layer. A good way to break out of the root mlflow directory is /api/2.0/mlflow-artifacts/artifacts endpoint. If we assume that the directory root is C://Users/User/mlflowui, then querying the endpoint /api/2.0/mlflow-artifacts/artifacts allows us to break out of the root C://Users/User/mlflowui directory and obtain files from C://Users/User, which can include the SSH key.
In C://Users/<User> of your windows machine
1: Add secret text into C://Users/<User>/.ssh/id_rsa
2: Create mlflowui directory which you will run mlflow from there.\
mlflow uiin C://Users/<User>/mlflowui
4: Then curl to retrieve the contents:
curl -vv "http://127.0.0.1:5000/api/2.0/mlflow-artifacts/artifacts/C:../.ssh/id_rsa"
Extra: You can also perform arbitrary file write on the system (which can overwrite models/data and cause RCE by overwriting the python files etc.) by performing a PUT instead of a GET
curl -X PUT --data-binary test "http://127.0.0.1:5000/api/2.0/mlflow-artifacts/artifacts/C:../.ssh/id_rsa"
Above overwrites id_rsa file.
Read sensitive data from Windows host (which can include the SSH key)
Severity taken from https://huntr.mlsecops.com/bounties/1fe8f21a-c438-4cba-9add-e8a5dab94e28/