CVE-2024-24590 PoC — Allegro 代码问题漏洞

Source

https://github.com/h3xm4n/ClearML-vulnerability-exploit-RCE-2024-CVE-2024-24590-

Associated Vulnerability

Title:Allegro 代码问题漏洞 (CVE-2024-24590)
Description:Allegro是Allegro开源的一个主要针对视频游戏和多媒体编程的跨平台库。 Allegro AI ClearML 0.17.0版本及之后版本存在代码问题漏洞，该漏洞源于不可信数据反序列化。攻击者利用该漏洞可以执行任意代码。

Description

Here is an exploit in python to exploit the CVE-2024-24590, which is an upload pickle in a ClearML, which leads to arbitrary code execution... Enjoy :D

Readme

## How it works-
### Need access to the team work space

Replace **IP** and **PORT** to your listener port and IP

Change the project name to an existing project name.

**IMPORTANT... YOU MIGHT NEED TO UPLOAD IT A COUPLE OF TIMES (RUN THE EXPLOIT A COUPLE OF TIMES)...**

@lrdvile on x

thank me later :D

## example of use

1. click on start new project on clearml
2. install clearml on terminal with pip
3. get the creds from clearml web (gen creds from clicking new project)
4. clearml-init in ur terminal and paste in the creds
5. nc -lnvp 4444
6. python exploit.py



reference:
https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/

File Snapshot


 [4.0K]  /data/pocs/bbdb44347a9e9f6616030c1b6e1fc5ca9a760433
├── [ 441]  exploit.py
└── [ 693]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!