Skip to content

Llama Factory Remote OS Command Injection Vulnerability

High
hiyouga published GHSA-hj3w-wrh4-44vp Nov 21, 2024

Package

pip llamafactory (pip)

Affected versions

<=0.9.0

Patched versions

0.9.1

Description

Summary

A critical remote OS command injection vulnerability has been identified in the Llama Factory training process. This vulnerability arises from improper handling of user input, allowing malicious actors to execute arbitrary OS commands on the host system. The issue is caused by insecure usage of the Popen function with shell=True, coupled with unsanitized user input. Immediate remediation is required to mitigate the risk.

Affected Version

Llama Factory versions <=0.9.0 are affected by this vulnerability.

Impact

Exploitation of this vulnerability allows attackers to:

  1. Execute arbitrary OS commands on the server.
  2. Potentially compromise sensitive data or escalate privileges.
  3. Deploy malware or create persistent backdoors in the system.

This significantly increases the risk of data breaches and operational disruption.

Root Cause

The vulnerability originates from the training process where the output_dir value, obtained from the user input, is injected into the popen function without any sanitization. Furthermore, popen is invoked in a unsafe way by enabling the interact shell (shell=True), leading to remote OS command injection vulnerability.

Vulnerable snippet:

# https://github.com/hiyouga/LLaMA-Factory/blob/bd639a137e6f46e1a0005cc91572f5f1ec894f74/src/llamafactory/webui/runner.py#L304-L323
def _launch(self, data: Dict["Component", Any], do_train: bool) -> Generator[Dict["Component", Any], None, None]:
				...
        args = self._parse_train_args(data) if do_train else self._parse_eval_args(data)
				...
        self.trainer = Popen(f"llamafactory-cli train {save_cmd(args)}", env=env, shell=True)
        yield from self.monitor()

Proof of Concept (PoC)

Steps to Reproduce

llama-factory-rce

Bad actors are able to execute any OS command as they want.

Remediation Recommendations

Avoid using shell=True in Popen.

  • Instead, pass the command and its arguments as a list. This prevents user inputs from being executed as part of a shell command.
cmd = [
    "llamafactory-cli",
    "train", 
  	*save_cmd(args).split(),
]
self.trainer = Popen(cmd, env=env)

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVE ID

CVE-2024-52803

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

Credits