YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PMML XXE PoC β pmml4s / pypmml (arbitrary file read + SSRF on model load)
Loading the malicious model file poc.pmml with pmml4s (or pypmml, which bundles it)
triggers XML External Entity processing (CWE-611): the parser fetches an external DTD and reads
a local file off the host. The model parses with no error, so the read is transparent.
Reproduce (offline, benign target: /etc/hostname)
pip install pypmml(needs a JRE on PATH β pmml4s is a Scala/JVM library)python3 canary.py(starts a loopback observation listener on 127.0.0.1:8099)In another shell:
python3 -c "from pypmml import Model; Model.fromFile('poc.pmml')"Observe the canary output:
HIT /leak?d=HOSTNAMEThe parser read
/etc/hostnameand exfiltrated it = arbitrary file read (XXE). It also fetchedevil.dtdfrom this repo = SSRF / external-entity resolution.
Files
poc.pmmlβ malicious PMML model; its DOCTYPE points atevil.dtdin this repoevil.dtdβ parameter-entity chain: readsfile:///etc/hostname, exfils to 127.0.0.1:8099 (loopback)canary.pyβ local listener so you can observe the read (loopback only)
Root cause
org/pmml4s/xml/pull.scala: val factory = XMLInputFactory.newFactory with no
SUPPORT_DTD=false / IS_SUPPORTING_EXTERNAL_ENTITIES=false. Fix: disable DTD support.