wladislax's picture
TF SavedModel ModelScan-bypass arbitrary-file-write PoCs (huntr)
35ef14f verified
|
Raw
History Blame Contribute Delete
1.9 kB
---
license: other
tags:
- security
- vulnerability-research
- proof-of-concept
- tensorflow
- savedmodel
- not-a-model
viewer: false
---
# ⚠️ Security PoC β€” NOT a usable model
Proof-of-concept malicious **TensorFlow SavedModel** files for a [huntr](https://huntr.com)
"Model Format Vulnerability" submission (Protect AI / Palo Alto Prisma AIRS). They
write attacker-chosen files when run, while being reported **clean by Protect AI
ModelScan**. Published only for responsible-disclosure reproduction β€” do not run
them on a machine you care about.
## What it demonstrates
ModelScan's SavedModel scanner only denylists two ops (`ReadFile`, `WriteFile`).
TensorFlow has many other file-I/O ops; embedding them gives the same arbitrary
file write while the scanner reports 0 issues.
| Dir | Op | Effect | ModelScan |
|-----|----|--------|-----------|
| `evil_printv2` | `PrintV2` (`tf.print(..., output_stream="file://PATH")`) | writes attacker **content** to attacker **path** | **0 issues** |
| `evil_savev2` | `SaveV2` | writes checkpoint files at attacker path | **0 issues** |
| `naive_writefile` | `WriteFile` (control) | same impact | **HIGH β€” detected** |
## Reproduce
```bash
pip install tensorflow modelscan
python build_tf_poc.py # regenerates the three SavedModels
python load_run.py evil_printv2 # inference -> writes PWNED_printv2.txt (attacker content)
modelscan -p evil_printv2 -r json # -> total_issues: 0 (bypass)
modelscan -p naive_writefile # -> HIGH Tensorflow.WriteFile (control is caught)
```
(ModelScan must be installed with the `tensorflow` extra so its SavedModel scanner actually parses the graph.)
## Files
- `evil_printv2/`, `evil_savev2/`, `naive_writefile/` β€” the SavedModel PoCs
- `build_tf_poc.py` β€” regenerates them deterministically
- `load_run.py` β€” loads a SavedModel and runs inference (triggers the write)