Hugging Face's logo

Damir2024
/
Onnx-poc

ONNX
Model card Files
xet
 Community

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Vulnerability Report: Arbitrary Code Execution via Insecure Python Operator (PyOp) in ONNX Models

Summary

The ONNX model format supports custom operators, including the PyOp (Python Operator) within the com.microsoft domain. This operator allows a model to specify a Python module and class to be invoked during inference. A maliciously crafted ONNX model can exploit this feature to execute arbitrary Python code (and by extension, system commands) on the host machine when the model is loaded and run by an ONNX Runtime environment that has the Python Operator enabled. This constitutes a critical "Backdoor" vulnerability within the model architecture.

Target

ONNX (.onnx) - Microsoft & Meta

Impact

  • Remote Code Execution (RCE): An attacker can embed malicious Python code within an ONNX model. When a victim runs inference on this model, the code is executed with the privileges of the user running the ONNX Runtime.
  • Silent Backdoor: The malicious logic is embedded within the graph nodes, making it difficult to detect via standard file-based antivirus or simple model scanners that do not inspect custom operator attributes.
  • Supply Chain Risk: Malicious models distributed via public repositories (like HuggingFace or ONNX Hub) can compromise the systems of researchers and developers who download and test them.

Proof of Concept (PoC)

The PoC is an ONNX model file (malicious.onnx) that contains a PyOp node configured to execute a system command.

Reproduction Steps:

  1. Install ONNX and ONNX Runtime: pip install onnx onnxruntime
  2. Run the provided onnx_poc.py script to generate malicious.onnx.
  3. Attempt to load and run the model in an environment where custom operators or PyOp are supported.
  4. Observe the execution of the embedded command (e.g., writing to /tmp/onnx_exploit_success).

Technical Details

The vulnerability stems from the architectural design of ONNX which allows for highly flexible custom operators. The PyOp operator specifically allows for the definition of module, class_name, and compute attributes that map directly to Python execution. While many production builds of ONNX Runtime disable this by default for security reasons, the format itself remains a valid vector for any environment or custom build that enables this functionality for research or specialized tasks.

Recommended Fix

  • Strict Operator Validation: ONNX Runtime should implement a strict allow-list for operators and domains.
  • Disable PyOp by Default: Ensure that the Python Operator is disabled in all production builds and requires explicit, high-level user consent to enable.
  • Model Signing: Implement a robust model signing and verification mechanism to ensure the integrity and origin of ONNX models.

Submitted by: PhonkAlphabet ⚡️👾 by🇭🇷PhonkAlphabet 👾⚡️

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support