Welcome back, security enthusiasts!

In today’s blog post, we’re diving into a very interesting vulnerability that highlights the importance of secure coding practices and robust input validation. XBOW has autonomously uncovered a path traversal vulnerability in Labs.ai’s open-source project E.D.D.I., a framework widely used for conversational AI. This flaw could allow attackers to access any file on the server, exposing sensitive information and creating a potential goldmine for malicious actors.

The vulnerability, identified as CVE-2024-53844 affects to versions from 4.3 to 5.3 and was addressed in LabsAI/EDDI v5.4.

As always, we invite you to explore the full trace showcasing how XBOW’s managed to fully exploit this Path Traversal. Let’s jump right in!

The Objective: A Labyrinth of Possibilities

On this occasion XBOW was provided with a DockerHub image with a crystal-clear mission—retrieve the /etc/passwd file from a target server. A bold and straightforward challenge, yet one that opens the door to a labyrinth of possibilities.

For a security researcher, this is like being handed a treasure chest with a keyhole but no key. The excitement lies in figuring out which of the countless potential keys—or vulnerabilities—might unlock it. Could this be an opportunity to exploit Server-Side Template Injection (SSTI)? Perhaps there’s room for some Remote Code Execution (RCE) mischief? Or maybe, just maybe, the true culprit lies hidden in the shadows of a Path Traversal vulnerability?

In this case, Path Traversal turned out to be the star of the show. But not before a lot of head-scratching, testing, and creative exploitation - all done autonomously by XBOW!

OpenAPI: The Treasure Map for Attack Vectors

When hunting for vulnerabilities, understanding how an application is structured is half the battle. In this case, XBOW started by fetching the OpenAPI specification available at the /openapi endpoint. Think of OpenAPI as a map of the application—it provides a detailed list of all API endpoints, their methods, parameters, and security requirements.

Based on its analysis, this map led to a particularly juicy endpoint: /backup/import/initialBots This endpoint caught our attention because it handles file operations, a classic hotspot for potential vulnerabilities.

The initial hypothesis? This endpoint accepts ZIP files for bot deployment which could allow XBOW to access system files by creating a ZIP file containing a path traversal sequence.

Unfortunately for us, the endpoints returns a 500 Internal Server Error when attempting path traversal through ZIP file entries. Time to explore other alternatives!

Exploring Other Endpoints: A Detour into Curiosity

Before jumping to conclusions, it’s always good practice to explore other endpoints for potential attack vectors. Security research is, after all, as much about exploration as it is about exploitation. So, with the OpenAPI specification in hand, XBOW took a closer look at some additional endpoints that sparked its curiosity.

One endpoint stood out like a sore thumb: /propertysetterstore/propertysetters which appears to handle template expressions and integrates with LangChain, a framework commonly used for advanced templating and AI workflows. This combination could open up the possibility of a template injection vulnerability.

Again, it seems the application incorporates template processing, but it cleverly sanitizes inputs or employs a locked-down template engine that restricts file system access, leaving no room for exploitation.

At this stage, XBOW realized there was more to uncover in the file-related features exposed through the OpenAPI interface. A fresh look revealed several endpoints related to file handling that begged for deeper exploration:

• /backup/import: General ZIP import functionality.
• /backup/import/initialBots: Bot-specific ZIP imports.
• /testcasestore/testcases: A file upload endpoint—always an enticing target.
• /backup/git/: Integration with Git, which might hint at some interesting file management quirks.

While earlier attempts had focused on template injection within ZIP contents, XBOW quickly realized there were a bunch of ZIP-specific attack vectors left unexplored. These included:

• ZIP Slip/Path Traversal: Using malformed ZIP entries to escape the intended directory structure.
• Symbolic Link Attacks: Crafting ZIP files with symbolic links to manipulate file paths.
• ZIP File Format Manipulation: Exploiting quirks in the ZIP specification to trick the application.
• Directory Traversal via Entry Names: Sneaking malicious paths into the ZIP’s contents.

It was time to pivot and approach these endpoints with a fresh perspective. With ZIP files being the common denominator, XBOW started designing payloads tailored to exploit these potential weaknesses.

Once again, the results were not promising at all. But remember: persistence, creativity, and a touch of stubbornness—that’s the recipe for finding vulnerabilities, and XBOW has plenty of that.

Back to Basics: Exploiting the /backup/export/{botFilename} endpoint

Sometimes, the best way forward is to take a step back. After experimenting with different endpoints and creative techniques, XBOW decided it was time to circle back and take a closer look at the OpenAPI specification. The goal was clear: exhaust all possibilities and reevaluate the endpoints with fresh eyes.

That’s when /backup/export/{botFilename} resurfaced as a prime suspect On closer inspection, this endpoint stood out as an ideal candidate for a path traversal exploit, given its specific functionality:

• It directly handles file paths, a known vulnerability hotspot.
• The botFilename parameter accepts user input, opening the door for potential manipulation.
• It is designed to return file contents, making it a high-value target.

With renewed focus, XBOW created a Python script to methodically test various path traversal patterns, URL encodings, and directory traversal techniques against the endpoint.

Bingo! To XBOW’s delight, one of the payloads returned the contents of the /etc/passwd file with an HTTP 200 status code and a Content-Type: application/zip.

The exact working URL looked like this: http://app:7070/backup/export/..%2f..%2f..%2f..%2fetc%2fpasswd

The vulnerability was as clear as it was impactful: the application’s lack of proper input validation allowed an attacker to manipulate the botFilename parameter and traverse directories to access sensitive files.

This discovery underscored an important lesson (for AI agents as well as humans!): never underestimate a basic attack path. While other endpoints and techniques initially seemed more promising, sometimes simplicity in exploring the application is the key.

We hope you enjoyed this technical deep dive! Stay tuned for more exciting vulnerability walkthroughs and insights coming your way soon.