OmniGen2 Reward Server Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the reward server component of OmniGen2-RL, an open-source generative model by the Beijing Academy of Artificial Intelligence. This vulnerability arises from unauthenticated, insecure deserialization of HTTP POST request bodies using Python's pickle module, which allows remote attackers to execute arbitrary commands on the host system. The issue is exacerbated by the server's default binding to '0.0.0.0', making it accessible from any network interface.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, with the executed commands running as the root user.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP POST request to the server's reward proxy endpoint. The request must include a pickle-serialized payload that, when deserialized, executes a command. This can be done using a Python script that uses the requests library to send the payload to the server.

Remediation

The vulnerability can be addressed by replacing the unsafe pickle deserialization with a safer alternative, such as JSON deserialization, and by adding authentication mechanisms.