Applio Denial-of-Service Vulnerability in Voice Conversion Tool

A denial-of-service vulnerability has been identified in Applio, a voice conversion tool, in versions through 3.2.8-bugfix. The issue arises in the 'restart.py' file, where the 'model_name' parameter in 'train.py' accepts user input and passes it to the 'stop_train' function in 'restart.py'. This function constructs a path to a folder containing 'config.json', which is then opened to read process IDs listed under 'process_pids'. The vulnerability can be exploited by writing a malicious 'config.json' file into a specific logs directory, containing a list of process IDs. Once this file is created, the 'stop_train' function can be used to kill the processes associated with these IDs, potentially disrupting important system functions and leading to a denial-of-service condition. Additionally, the vulnerability allows for path traversal by manipulating the 'model_name' input to access 'config.json' files from other locations on the server.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by terminating processes that Applio relies on, as well as other critical system processes.

Reproduction

To reproduce this vulnerability, first upload a 'config.json' file containing a list of process IDs to 'logs/foobar'. Then, in 'train.py', input a model name that includes path traversal characters to access the 'config.json' file from the 'logs' directory. This will trigger the 'stop_train' function, which reads the process IDs from the 'config.json' file and terminates the corresponding processes. Sending a large list of process IDs can disrupt not only the Applio application but also other important system processes, causing a denial-of-service condition.