Upload README.md with huggingface_hub
Browse files
README.md
ADDED
|
@@ -0,0 +1,25 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# NeMo (.nemo) Scanner Bypass PoC
|
| 2 |
+
|
| 3 |
+
## Vulnerability
|
| 4 |
+
Malicious pickle hidden inside NeMo tar archive's PyTorch checkpoint.
|
| 5 |
+
|
| 6 |
+
### Scanner Bypass
|
| 7 |
+
- modelscan 0.8.8: No .nemo scanner → 0 issues
|
| 8 |
+
- picklescan 1.0.4: Scans nested .ckpt but chain bypasses detection → 0 infected
|
| 9 |
+
|
| 10 |
+
### ACE
|
| 11 |
+
NeMo files are tar archives containing model_weights.ckpt (PyTorch checkpoint with pickle).
|
| 12 |
+
Extracting and loading the checkpoint via torch.load(weights_only=False) triggers ACE.
|
| 13 |
+
|
| 14 |
+
### Payload: importlib.import_module → marshal.loads → types.FunctionType → ACE
|
| 15 |
+
|
| 16 |
+
### Reproduction
|
| 17 |
+
```python
|
| 18 |
+
import tarfile, torch
|
| 19 |
+
with tarfile.open("malicious_model.nemo", "r") as tar:
|
| 20 |
+
ckpt = tar.extractfile("model_weights.ckpt").read()
|
| 21 |
+
with open("/tmp/ckpt.bin", "wb") as f: f.write(ckpt)
|
| 22 |
+
torch.load("/tmp/ckpt.bin", weights_only=False) # ACE
|
| 23 |
+
```
|
| 24 |
+
|
| 25 |
+
Environment: PyTorch 2.10.0, modelscan 0.8.8, picklescan 1.0.4
|