| # TensorRT Engine File RCE PoC |
|
|
| ## Vulnerability |
|
|
| Arbitrary code execution via embedded native shared libraries (DLL/SO) in TensorRT engine files (.engine/.trt/.plan). The embedded library's constructor (`DllMain`/`__attribute__((constructor))`) executes automatically when the engine is deserialized with `engine_host_code_allowed=True`. |
|
|
| ## Files |
|
|
| | File | Description | |
| |---|---| |
| | `malicious_model.engine` | Crafted TensorRT engine with embedded malicious DLL | |
| | `malicious_plugin.c` | Source code of the malicious plugin | |
| | `build_poc.py` | Script to build the malicious engine | |
| | `load_poc.py` | Script to load the engine and trigger RCE | |
|
|
| ## Reproduction |
|
|
| ### Prerequisites |
| - NVIDIA GPU with CUDA drivers |
| - TensorRT 8.6+ (`pip install tensorrt`) |
| - C compiler (MSVC on Windows, GCC on Linux) |
|
|
| ### Steps |
|
|
| ```bash |
| # 1. Build the malicious engine (or use the pre-built malicious_model.engine) |
| python build_poc.py |
| |
| # 2. Load the engine — triggers arbitrary code execution |
| python load_poc.py evidence/malicious_model.engine |
| |
| # 3. Verify code execution |
| # Windows: check C:\temp\tensorrt_rce_poc.txt |
| # Linux: check /tmp/tensorrt_rce_poc |
| ``` |
|
|
| ### Expected Output |
|
|
| ``` |
| [!] TensorRT RCE PoC: Arbitrary code executed via embedded plugin! |
| [!] Proof written to tensorrt_rce_poc.txt |
| [!] PID: <process_id> |
| |
| [!!!] CODE EXECUTION CONFIRMED: C:\temp\tensorrt_rce_poc.txt |
| ``` |
|
|
| ## Tested Environment |
| - Windows 10/11, NVIDIA RTX 4080 Super |
| - CUDA 13.0, TensorRT 10.15.1.29 |
| - Python 3.12 |
|
|
