skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
January 12, 2024

GHSL-2023-260: Remote command execution (RCE) in Intel Analytics’ BigDL-LLM

Jorge Rosillo

Coordinated Disclosure Timeline

Summary

Intel Analytics’ BigDL-LLM is a library for running LLM (large language model) on Intel XPU (from Laptop to GPU to Cloud). The finetune server exposes an endpoint allowing attackers to potentially execute malicious commands on developer machines.

Project

BigDL-LLM

Tested Version

BigDL release 2.4.0

Details

Command injection in bigdl_aa.py through /attest (GHSL-2023-260)

The BigDL-AA Agent exposes an /attest endpoint, which allows for executing a command containing an arbitrary string.

@app.route('/attest', methods=['POST'])
def get_cluster_quote_list():
    data = request.get_json()
    user_report_data = data.get('user_report_data')
    quote_list = []

    try:
        quote_b = quote_generator.generate_tdx_quote(user_report_data)
        quote = base64.b64encode(quote_b).decode("utf-8")
        quote_list.append(("launcher", quote))
    except Exception as e:
        quote_list.append("launcher", "quote generation failed: %s" % (e))

    command = "sudo -u mpiuser -E bash /ppml/get_worker_quote.sh %s" % (user_report_data)
    output = subprocess.check_output(command, shell=True)

Even when providing an invalid value, given that the try block doesn’t raise an exception when caught, the user-controlled contents user_report_data flow directly to the command in question, which, using shell=True, allows for shell expansion.

This issue was found with CodeQL for Python’s Uncontrolled command line query.

Impact

This issue may lead to Remote Command Execution

Proof of Concept

This way, an attacker is allowed to execute commands as the user running the server.

$ cat /tmp/info
codespace

The exploitation of this vulnerability requires a valid payload for generate_tdx_quote or a syntax error fix as follows: ```diff diff –git a/ppml/tdx/docker/trusted-bigdl-llm/finetune/docker/bigdl_aa.py b/ppml/tdx/docker/trusted-bigdl-llm/finetune/docker/bigdl_aa.py index d848fd658..9d3090536 100644 — a/ppml/tdx/docker/trusted-bigdl-llm/finetune/docker/bigdl_aa.py +++ b/ppml/tdx/docker/trusted-bigdl-llm/finetune/docker/bigdl_aa.py @@ -30,7 +30,7 @@ def get_cluster_quote_list(): quote = base64.b64encode(quote_b).decode(“utf-8”) quote_list.append((“launcher”, quote)) except Exception as e:

  • quote_list.append(“launcher”, “quote generation failed: %s” % (e))
  • quote_list.append((“launcher”, “quote generation failed: %s” % (e)))
 command = "sudo -u mpiuser -E bash /ppml/get_worker_quote.sh %s" % (user_report_data)
 output = subprocess.check_output(command, shell=True) ```

Credit

This issue was discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-260 in any communication regarding this issue.