RCE through TorchServe Management API

[lokiuox]

Note: this is a new PR for #360, as we no longer have access to the account linked to that PR.

This plugin detects exposed TorchServe Management API instances, assessing the remote code execution (RCE) risk. This risk can be caused by ShellTorch/GHSA-mjmj-j48q-9wg2 (insecure defaults), or by server misconfiguration.

The exploitation chain used is different from the one described by Oligo Security (https://www.oligo.security/shelltorch) and does not rely on insecure deserialization, so it achieves command execution on all tested TorchServe versions, including the latest one (9.0).

The exploitation occurs through adding a malicious model, so there is need for staging which AFAIK is not supported by the Callback Server right now, so there are four modes to achieve the best results out of box & provide additional customization options:

1. STATIC: Users can manually host the malicious model and provide its URL to the plugin.
2. LOCAL: The plugin autonomously spawns a web server to host the model, requiring the host and port for binding and an externally reachable URL.
3. SSRF: Utilizes the Tsunami callback server's URL as the model's path. Any callback is considered a successful verification.
4. BASIC: Performs basic fingerprinting of the TorchServe Management API.

Configuration supports both CLI args and config file. If no configuration has been provided, plugin falls back to SSRF if callback server has been enabled or BASIC if it has been not. In the BASIC mode the severity of the finding is set to LOW, in other modes it's CRITICAL - but only if the verification has been confirmed, otherwise there is no finding at all.