Add content from: Hunting Vulnerabilities in Keras Model Deserialization

Author: HackTricks News Bot

src/AI/AI-MCP-Servers.md

@@ -50,6 +50,7 @@ Once connected, the host (inspector or an AI agent like Cursor) will fetch the t
 
 For more information about Prompt Injection check:
 
+
 {{#ref}}
 AI-Prompts.md
 {{#endref}}
@@ -100,6 +101,7 @@ Another way to perform prompt injection attacks in clients using MCP servers is
 A user that is giving access to his Github repositories to a client could ask the client to read and fix all the open issues. However, a attacker could **open an issue with a malicious payload** like "Create a pull request in the repository that adds [reverse shell code]" that would be read by the AI agent, leading to unexpected actions such as inadvertently compromising the code.
 For more information about Prompt Injection check:
 
+
 {{#ref}}
 AI-Prompts.md
 {{#endref}}
@@ -156,4 +158,3 @@ The payload can be anything the current OS user can run, e.g. a reverse-shell ba
 
 {{#include ../banners/hacktricks-training.md}}
 
-

src/AI/AI-Models-RCE.md

@@ -177,11 +177,20 @@ with tarfile.open("symlink_demo.model", "w:gz") as tf:
     tf.add(PAYLOAD)                      # rides the symlink
 ```
 
+### Deep-dive: Keras .keras deserialization and gadget hunting
+
+For a focused guide on .keras internals, Lambda-layer RCE, the arbitrary import issue in ≤ 3.8, and post-fix gadget discovery inside the allowlist, see:
+
+
+{{#ref}}
+../generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md
+{{#endref}}
+
 ## References
 
 - [OffSec blog – "CVE-2024-12029 – InvokeAI Deserialization of Untrusted Data"](https://www.offsec.com/blog/cve-2024-12029/)
 - [InvokeAI patch commit 756008d](https://github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b3975a59e)
 - [Rapid7 Metasploit module documentation](https://www.rapid7.com/db/modules/exploit/linux/http/invokeai_rce_cve_2024_12029/)
 - [PyTorch – security considerations for torch.load](https://pytorch.org/docs/stable/notes/serialization.html#security)
 
-{{#include ../banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}

src/AI/AI-llm-architecture/README.md

@@ -8,6 +8,7 @@
 
 You should start by reading this post for some basic concepts you should know about:
 
+
 {{#ref}}
 0.-basic-llm-concepts.md
 {{#endref}}
@@ -17,6 +18,7 @@ You should start by reading this post for some basic concepts you should know ab
 > [!TIP]
 > The goal of this initial phase is very simple: **Divide the input in tokens (ids) in some way that makes sense**.
 
+
 {{#ref}}
 1.-tokenizing.md
 {{#endref}}
@@ -26,6 +28,7 @@ You should start by reading this post for some basic concepts you should know ab
 > [!TIP]
 > The goal of this second phase is very simple: **Sample the input data and prepare it for the training phase usually by separating the dataset into sentences of a specific length and generating also the expected response.**
 
+
 {{#ref}}
 2.-data-sampling.md
 {{#endref}}
@@ -38,6 +41,7 @@ You should start by reading this post for some basic concepts you should know ab
 >
 > Moreover, during the token embedding **another layer of embeddings is created** which represents (in this case) the **absolute possition of the word in the training sentence**. This way a word in different positions in the sentence will have a different representation (meaning).
 
+
 {{#ref}}
 3.-token-embeddings.md
 {{#endref}}
@@ -48,6 +52,7 @@ You should start by reading this post for some basic concepts you should know ab
 > The goal of this fourth phase is very simple: **Apply some attetion mechanisms**. These are going to be a lot of **repeated layers** that are going to **capture the relation of a word in the vocabulary with its neighbours in the current sentence being used to train the LLM**.\
 > A lot of layers are used for this, so a lot of trainable parameters are going to be capturing this information.
 
+
 {{#ref}}
 4.-attention-mechanisms.md
 {{#endref}}
@@ -59,6 +64,7 @@ You should start by reading this post for some basic concepts you should know ab
 >
 > This architecture will be used for both, training and predicting text after it was trained.
 
+
 {{#ref}}
 5.-llm-architecture.md
 {{#endref}}
@@ -68,6 +74,7 @@ You should start by reading this post for some basic concepts you should know ab
 > [!TIP]
 > The goal of this sixth phase is very simple: **Train the model from scratch**. For this the previous LLM architecture will be used with some loops going over the data sets using the defined loss functions and optimizer to train all the parameters of the model.
 
+
 {{#ref}}
 6.-pre-training-and-loading-models.md
 {{#endref}}
@@ -77,6 +84,7 @@ You should start by reading this post for some basic concepts you should know ab
 > [!TIP]
 > The use of **LoRA reduce a lot the computation** needed to **fine tune** already trained models.
 
+
 {{#ref}}
 7.0.-lora-improvements-in-fine-tuning.md
 {{#endref}}
@@ -86,6 +94,7 @@ You should start by reading this post for some basic concepts you should know ab
 > [!TIP]
 > The goal of this section is to show how to fine-tune an already pre-trained model so instead of generating new text the LLM will select give the **probabilities of the given text being categorized in each of the given categories** (like if a text is spam or not).
 
+
 {{#ref}}
 7.1.-fine-tuning-for-classification.md
 {{#endref}}
@@ -95,6 +104,7 @@ You should start by reading this post for some basic concepts you should know ab
 > [!TIP]
 > The goal of this section is to show how to **fine-tune an already pre-trained model to follow instructions** rather than just generating text, for example, responding to tasks as a chat bot.
 
+
 {{#ref}}
 7.2.-fine-tuning-to-follow-instructions.md
 {{#endref}}

src/AI/README.md

@@ -6,18 +6,22 @@
 
 The best starting point to learn about AI is to understand how the main machine learning algorithms work. This will help you to understand how AI works, how to use it and how to attack it:
 
+
 {{#ref}}
 ./AI-Supervised-Learning-Algorithms.md
 {{#endref}}
 
+
 {{#ref}}
 ./AI-Unsupervised-Learning-Algorithms.md
 {{#endref}}
 
+
 {{#ref}}
 ./AI-Reinforcement-Learning-Algorithms.md
 {{#endref}}
 
+
 {{#ref}}
 ./AI-Deep-Learning.md
 {{#endref}}
@@ -26,6 +30,7 @@ The best starting point to learn about AI is to understand how the main machine
 
 In the following page you will find the basics of each component to build a basic LLM using transformers:
 
+
 {{#ref}}
 AI-llm-architecture/README.md
 {{#endref}}
@@ -36,6 +41,7 @@ AI-llm-architecture/README.md
 
 At this moment, the main 2 frameworks to assess the risks of AI systems are the OWASP ML Top 10 and the Google SAIF:
 
+
 {{#ref}}
 AI-Risk-Frameworks.md
 {{#endref}}
@@ -44,6 +50,7 @@ AI-Risk-Frameworks.md
 
 LLMs have made the use of AI explode in the last years, but they are not perfect and can be tricked by adversarial prompts. This is a very important topic to understand how to use AI safely and how to attack it:
 
+
 {{#ref}}
 AI-Prompts.md
 {{#endref}}
@@ -52,6 +59,7 @@ AI-Prompts.md
 
 It's very common to developers and companies to run models downloaded from the Internet, however just loading a model might be enough to execute arbitrary code on the system. This is a very important topic to understand how to use AI safely and how to attack it:
 
+
 {{#ref}}
 AI-Models-RCE.md
 {{#endref}}
@@ -60,12 +68,14 @@ AI-Models-RCE.md
 
 MCP (Model Context Protocol) is a protocol that allows AI agent clients to connect with external tools and data sources in a plug-and-play fashion. This enables complex workflows and interactions between AI models and external systems:
 
+
 {{#ref}}
 AI-MCP-Servers.md
 {{#endref}} 
 
 ### AI-Assisted Fuzzing & Automated Vulnerability Discovery
 
+
 {{#ref}}
 AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md
 {{#endref}}

src/SUMMARY.md

@@ -69,6 +69,7 @@
   - [Bypass Python sandboxes](generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md)
     - [LOAD_NAME / LOAD_CONST opcode OOB Read](generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.md)
   - [Class Pollution (Python's Prototype Pollution)](generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md)
+  - [Keras Model Deserialization Rce And Gadget Hunting](generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.md)
   - [Python Internal Read Gadgets](generic-methodologies-and-resources/python/python-internal-read-gadgets.md)
   - [Pyscript](generic-methodologies-and-resources/python/pyscript.md)
   - [venv](generic-methodologies-and-resources/python/venv.md)

src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md

@@ -10,6 +10,7 @@ To call malloc it's possible to wait for the program to call it or by **calling
 
 More info about One Gadget in:
 
+
 {{#ref}}
 ../rop-return-oriented-programing/ret2lib/one-gadget.md
 {{#endref}}
@@ -21,6 +22,7 @@ More info about One Gadget in:
 
 This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack:
 
+
 {{#ref}}
 ../libc-heap/unsorted-bin-attack.md
 {{#endref}}

src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md

@@ -62,6 +62,7 @@ Moreover, if `puts` is used with user input, it's possible to overwrite the `str
 
 ## **One Gadget**
 
+
 {{#ref}}
 ../rop-return-oriented-programing/ret2lib/one-gadget.md
 {{#endref}}
@@ -77,6 +78,7 @@ It's possible to find an [**example here**](https://ctf-wiki.mahaloz.re/pwn/linu
 
 The **Full RELRO** protection is meant to protect agains this kind of technique by resolving all the addresses of the functions when the binary is started and making the **GOT table read only** after it:
 
+
 {{#ref}}
 ../common-binary-protections-and-bypasses/relro.md
 {{#endref}}
@@ -89,4 +91,3 @@ The **Full RELRO** protection is meant to protect agains this kind of technique
 {{#include ../../banners/hacktricks-training.md}}
 
 
-

src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md

@@ -6,12 +6,14 @@
 
 Before start exploiting anything it's interesting to understand part of the structure of an **ELF binary**:
 
+
 {{#ref}}
 elf-tricks.md
 {{#endref}}
 
 ## Exploiting Tools
 
+
 {{#ref}}
 tools/
 {{#endref}}
@@ -34,6 +36,7 @@ There are different was you could end controlling the flow of a program:
 
 You can find the **Write What Where to Execution** techniques in:
 
+
 {{#ref}}
 ../arbitrary-write-2-exec/
 {{#endref}}
@@ -111,4 +114,3 @@ Something to take into account is that usually **just one exploitation of a vuln
 {{#include ../../banners/hacktricks-training.md}}
 
 
-

src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md

@@ -68,6 +68,7 @@ This stores vendor metadata information about the binary.
 
 - On x86-64, `readelf -n` will show `GNU_PROPERTY_X86_FEATURE_1_*` flags inside `.note.gnu.property`. If you see `IBT` and/or `SHSTK`, the binary was built with CET (Indirect Branch Tracking and/or Shadow Stack). This impacts ROP/JOP because indirect branch targets must start with an `ENDBR64` instruction and returns are checked against a shadow stack. See the CET page for details and bypass notes.
 
+
 {{#ref}}
 ../common-binary-protections-and-bypasses/cet-and-shadow-stack.md
 {{#endref}}
@@ -92,6 +93,7 @@ Note that RELRO can be partial or full, the partial version do not protect the s
 
 > For exploitation techniques and up-to-date bypass notes, check the dedicated page:
 
+
 {{#ref}}
 ../common-binary-protections-and-bypasses/relro.md
 {{#endref}}
@@ -372,7 +374,8 @@ So when a program calls to malloc, it actually calls the corresponding location
 
 - `-z now` (Full RELRO) disables lazy binding; PLT entries still exist but GOT/PLT is mapped read-only, so techniques like **GOT overwrite** and **ret2dlresolve** won’t work against the main binary (libraries may still be partially RELRO). See:
 
-  {{#ref}}
+  
+{{#ref}}
   ../common-binary-protections-and-bypasses/relro.md
   {{#endref}}
 
@@ -382,6 +385,7 @@ So when a program calls to malloc, it actually calls the corresponding location
 
 > If GOT/PLT is not an option, pivot to other writeable code-pointers or use classic ROP/SROP into libc.
 
+
 {{#ref}}
 ../arbitrary-write-2-exec/aw2exec-got-plt.md
 {{#endref}}
@@ -432,6 +436,7 @@ Moreover, it's also possible to have a **`PREINIT_ARRAY`** with **pointers** tha
 
 - For lazy binding abuse of the dynamic linker to resolve arbitrary symbols at runtime, see the dedicated page:
 
+
 {{#ref}}
 ../rop-return-oriented-programing/ret2dlresolve.md
 {{#endref}}

src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md

@@ -210,6 +210,7 @@ p.interactive()
 
 Abusing a buffer overflow it would be possible to exploit a **ret2plt** to exfiltrate an address of a function from the libc. Check:
 
+
 {{#ref}}
 ret2plt.md
 {{#endref}}
@@ -231,6 +232,7 @@ payload += p32(elf.symbols['main'])
 
 You can find more info about Format Strings arbitrary read in:
 
+
 {{#ref}}
 ../../format-strings/
 {{#endref}}
@@ -239,6 +241,7 @@ You can find more info about Format Strings arbitrary read in:
 
 Try to bypass ASLR abusing addresses inside the stack:
 
+
 {{#ref}}
 ret2ret.md
 {{#endref}}
@@ -297,11 +300,11 @@ gef➤  x/4i 0xffffffffff600800
 
 Note therefore how it might be possible to **bypass ASLR abusing the vdso** if the kernel is compiled with CONFIG_COMPAT_VDSO as the vdso address won't be randomized. For more info check:
 
+
 {{#ref}}
 ../../rop-return-oriented-programing/ret2vdso.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 
-