Introduction
Wikipedia:
Stable Diffusion is a deep learning, text-to-image model released in 2022 based on diffusion techniques. It is primarily used to generate detailed images conditioned on text descriptions, though it can also be applied to other tasks such as in-painting, out-painting, and generating image-to-image translations guided by a text prompt.
The world has been shaken by the introduction of technologies such as ChatGPT, Midjourney, Firefly and more. The increase in adoption has had developers rapidly moving to Github and trying to deploy their own models and code to run on their own hardware to achieve the same objectives.
TLDR:
In a recent instance, SYON were testing out our automated reconnaissance workflow against a bug bounty program and were able to identify an authentication bypass vulnerability on a hosted Stable Diffusion Web UI.
By extracting the API using JavaScript crawling, the following paths were identified:
/internal/sysinfo
/internal/sysinfo-download
The paths did not require any authentication and would respond with environment variables, command line parameters and information about the system deployment.
After bypassing authentication, rogue extensions can be utilized to obtain Remote Code Execution. Extensions are disabled by default if the Stable Diffusion Web UI is listening on the network. The user must indicate: --enable-insecure-extension-access to permit extension usage.
Stable Diffusion Web UI and Gradio Auth
Stable Diffusion Web UI is a "browser interface based on Gradio library for Stable Diffusion." It makes Stable Diffusion user friendly for beginners and allows them to utilize Stable Diffusion capabilities such as Image Generation.
https://github.com/AUTOMATIC1111/stable-diffusion-webui
As per the latest guidelines when deploying Stable Diffusion Web UI, the recommended method to implement authentication is to use the --gradio-auth and --api-auth flags.
After enabling the flags, the user faces the following web page:
For the purpose of the test, we randomly selected a password and do not recall what the password is. By navigating to /internal/sysinfo, we can obtain the password from the below example snippet output:
As shown in the screenshot there is a --gradio-auth field which indicates the username and password. Using the credentials we can gain access to the system:
You can also obtain Remote Code Execution on the server using a rogue extension. Although it's probably not really a vulnerability, but more of a feature.
Remediation
Update Stable Diffusion Web UI to the latest version or at least version 1.6.0.
Disclosure Timeline
2023-08-03 - Report to a bug bounty program (redacted)
2023-08-04 - Identified additional assets under bug bounty that was vulnerable, and achieved Code Execution.
2023-08-28 - Decided to report the issue to AUTOMATIC over Discord.
2023-08-28 - AUTOMATIC replicates the issue, fixes the issue, and pushes a fix in upcoming version 1.6.0.
Special thanks to AUTOMATIC and w-e-w for coordinating, replicating, and fixing the issue at hand.
Other Misc Stuff
Developers and General Users Spinning up AI tools on the internet without any authentication
Although in this blog post we indicate that the use of authentication is important. However, we found on Shodan that in fact many instances are not even using authentication and programmers are inclined to just stick their servers on the internet.
For example:
No authentication configured and extensions enabled is just a catastrophe.
Infinite Image Browsing Extension
In one popular extension with over 4500 daily clones, an unauthenticated Local File Inclusion vulnerability was found.
An unauthenticated attacker could modify the path and read an arbitrary file. In this instance, reading the /proc/self/environ variable would bypass the official fix in Web UI.
GET /infinite_image_browsing/file?path=/proc/self/environ&t=2023-05-08%2017%3A55%3A10 HTTP/1.1
Host: REDACTED
Connection: closeIt seems that the developer issued a new "secret key" mechanism on, or around 5th August 2023.
Comments