In this blog, we're breaking down one of our example Model File Vulnerabilities (MFVs) to help you understand how a trusted tool like PyTorch can be exploited. This example is a perfect starting point if you're looking to find and report your own MFVs on huntr.
Serialization with pickle:
PyTorch uses Python’s pickle module for its torch.save() and torch.load() functions. This allows models to be saved and reloaded with ease.
The Risk Factor:
The pickle protocol involves calling an object's __reduce__ method to determine how to rebuild it. If an attacker can override this method, they can control what happens during deserialization—leading to arbitrary code execution.
Crafting the Malicious Model:
A custom PyTorch module is defined to override __reduce__. In our proof-of-concept (PoC), the overridden method instructs the deserialization process to run an OS command—touch /tmp/poc—as soon as the model is loaded.
Executing the Payload:
When an unsuspecting user tries to load the model using the standard <pytorch, tensorflow, whatever> method the payload triggers and executes arbitrary python code:
This PoC will use the arbitrary code execution to perform a simple arbitrary file creation to create /tmp/poc on the victim's machine.
This vulnerability isn’t just a textbook case—it’s a gold mine for anyone looking to cash in on easy, high-impact exploits. Here’s why you should be all over it:
This example MFV shows that even the most trusted machine learning frameworks can be exploited. By understanding the mechanics of PyTorch’s pickle deserialization, you can turn this knowledge into actionable insights—finding and reporting vulnerabilities before they can be exploited in the wild.
At huntr, we offer bounty payouts up to $4,000 per validated MFV. If you have discovered a vulnerability in how models are serialized or can demonstrate a novel exploit, submit your detailed proof-of-concept (PoC) via our submission portal. Happy hunting!