| # TensorRT ACE PoC — Arbitrary Code Execution via Embedded Plugin DLL |
|
|
| ## Vulnerability Summary |
|
|
| TensorRT `.engine` files support embedding plugin shared libraries via `plugins_to_serialize`. When such an engine is deserialized with `deserialize_cuda_engine()`, TensorRT **unconditionally** extracts the embedded DLL to a temp file and loads it via `LoadLibrary()` / `dlopen()`. This triggers native code execution (e.g., `DllMain` on Windows, `__attribute__((constructor))` on Linux). |
|
|
| **The `engine_host_code_allowed` security flag (which defaults to `False`) does NOT prevent this.** The flag only gates lean runtime loading, not embedded plugin libraries. |
| |
| ## Affected |
| |
| - **Product:** NVIDIA TensorRT |
| - **Tested Version:** 10.15.1.29 |
| - **File Format:** `.engine` / `.trt` / `.plan` |
| - **API:** `IRuntime::deserializeCudaEngine()` / `trt.Runtime.deserialize_cuda_engine()` |
| |
| ## Files |
| |
| | File | Description | |
| |------|-------------| |
| | `malicious_model.engine` | Pre-built malicious engine file containing embedded DLL | |
| | `malicious_plugin.cpp` | Source code for the malicious plugin DLL | |
| | `malicious_plugin.dll` | Compiled malicious plugin (Windows x64) | |
| | `build_malicious_engine.py` | Script to build the malicious engine from scratch | |
| | `load_malicious_engine.py` | Script to demonstrate ACE by loading the engine | |
| |
| ## Reproduction Steps |
| |
| ### Quick Test (use pre-built engine) |
| |
| ```bash |
| # Requires: pip install tensorrt (tested with 10.15.1.29) |
| python load_malicious_engine.py |
| # Check for PWNED.txt — if it exists, ACE was achieved |
| ``` |
| |
| ### Build From Scratch |
| |
| 1. Compile the malicious plugin DLL (Windows/MSVC): |
| ``` |
| cl /nologo /EHsc /LD /Fe:malicious_plugin.dll malicious_plugin.cpp /link user32.lib kernel32.lib |
| ``` |
| |
| 2. Build the malicious engine: |
| ``` |
| python build_malicious_engine.py |
| ``` |
| |
| 3. Test ACE: |
| ``` |
| python load_malicious_engine.py |
| ``` |
| |
| ## What Happens |
| |
| 1. `load_malicious_engine.py` creates a TensorRT runtime with `engine_host_code_allowed = False` (default) |
| 2. It calls `runtime.deserialize_cuda_engine(engine_data)` |
| 3. TensorRT extracts the embedded DLL to `%TEMP%\pluginLibrary_*.dll` |
| 4. TensorRT calls `LoadLibrary()` on the extracted DLL |
| 5. `DllMain` executes, creating `PWNED.txt` as proof of arbitrary code execution |
| 6. Deserialization itself fails (no valid plugin creators), but **the code already ran** |
| |
| ## Key Evidence from TensorRT Logs |
| |
| ``` |
| [TRT] [V] Local registry attempting to deserialize library from memory |
| [TRT] [V] Created temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll |
| [TRT] [V] Loaded temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll |
| ``` |
| |
| This occurs even with `engine_host_code_allowed = False`. |
| |
| ## Impact |
| |
| - Arbitrary native code execution in any process that loads an untrusted `.engine` file |
| - No existing scanner (ModelScan, etc.) detects this |
| - Supply chain attack via malicious models on HuggingFace, model registries, etc. |
| |
