| --- |
| license: openrail |
| tags: |
| - security |
| - adversarial |
| - tensorrt |
| - path-traversal |
| - zip-slip |
| - model-scanner-bypass |
| --- |
| |
| # TensorRT TEA Path Traversal PoC |
|
|
| **CVE:** N/A (responsible disclosure) |
| **Type:** Path Traversal (ZIP Slip) in TensorRT Engine Archive format |
| **Impact:** Arbitrary file write → Remote Code Execution |
|
|
| ## Description |
|
|
| This PoC demonstrates a path traversal vulnerability in NVIDIA TensorRT's Engine Archive (TEA) format. The TEA format is a ZIP-based container used by TensorRT 10.0+ for engine serialization. |
|
|
| When `IRuntime::deserializeCudaEngine()` loads a `.tea` file, it extracts ZIP entries without validating paths. A malicious entry like `../../../tmp/evil.py` escapes the extraction directory. |
|
|
| ## Contents |
|
|
| - `tea_path_traversal.tea` - Malicious TEA archive containing: |
| - `build_cfg.json` (legitimate) |
| - `plan_cfg.json` (legitimate) |
| - `engine.trt` (legitimate stub) |
| - `timing.cache` (legitimate) |
| - `../../../tmp/evil.py` (path traversal → writes outside extraction dir) |
|
|
| ## Attack Vectors |
|
|
| 1. **Arbitrary file write** → RCE via cron, startup scripts, shared libraries |
| 2. **Configuration injection** via malicious `build_cfg.json` |
| 3. **Prototype pollution** via `__proto__` in config |
| 4. **Symlink escape** → information disclosure |
|
|
| ## References |
|
|
| - CWE-22: Improper Limitation of a Pathname to a Restricted Directory |
| - CWE-494: Download of Code Without Integrity Check |
| - Similar: CVE-2022-31129 (zip4j path traversal) |
|
|
| ## Disclaimer |
|
|
| This PoC is provided for authorized security research and vulnerability disclosure only. |
|
|
