# TensorRT ACE PoC — Arbitrary Code Execution via Embedded Plugin DLL ## Vulnerability Summary TensorRT `.engine` files support embedding plugin shared libraries via `plugins_to_serialize`. When such an engine is deserialized with `deserialize_cuda_engine()`, TensorRT **unconditionally** extracts the embedded DLL to a temp file and loads it via `LoadLibrary()` / `dlopen()`. This triggers native code execution (e.g., `DllMain` on Windows, `__attribute__((constructor))` on Linux). **The `engine_host_code_allowed` security flag (which defaults to `False`) does NOT prevent this.** The flag only gates lean runtime loading, not embedded plugin libraries. ## Affected - **Product:** NVIDIA TensorRT - **Tested Version:** 10.15.1.29 - **File Format:** `.engine` / `.trt` / `.plan` - **API:** `IRuntime::deserializeCudaEngine()` / `trt.Runtime.deserialize_cuda_engine()` ## Files | File | Description | |------|-------------| | `malicious_model.engine` | Pre-built malicious engine file containing embedded DLL | | `malicious_plugin.cpp` | Source code for the malicious plugin DLL | | `malicious_plugin.dll` | Compiled malicious plugin (Windows x64) | | `build_malicious_engine.py` | Script to build the malicious engine from scratch | | `load_malicious_engine.py` | Script to demonstrate ACE by loading the engine | ## Reproduction Steps ### Quick Test (use pre-built engine) ```bash # Requires: pip install tensorrt (tested with 10.15.1.29) python load_malicious_engine.py # Check for PWNED.txt — if it exists, ACE was achieved ``` ### Build From Scratch 1. Compile the malicious plugin DLL (Windows/MSVC): ``` cl /nologo /EHsc /LD /Fe:malicious_plugin.dll malicious_plugin.cpp /link user32.lib kernel32.lib ``` 2. Build the malicious engine: ``` python build_malicious_engine.py ``` 3. Test ACE: ``` python load_malicious_engine.py ``` ## What Happens 1. `load_malicious_engine.py` creates a TensorRT runtime with `engine_host_code_allowed = False` (default) 2. It calls `runtime.deserialize_cuda_engine(engine_data)` 3. TensorRT extracts the embedded DLL to `%TEMP%\pluginLibrary_*.dll` 4. TensorRT calls `LoadLibrary()` on the extracted DLL 5. `DllMain` executes, creating `PWNED.txt` as proof of arbitrary code execution 6. Deserialization itself fails (no valid plugin creators), but **the code already ran** ## Key Evidence from TensorRT Logs ``` [TRT] [V] Local registry attempting to deserialize library from memory [TRT] [V] Created temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll [TRT] [V] Loaded temporary shared library C:\Users\...\Temp\pluginLibrary_4cef6c0cb351aa4e.dll ``` This occurs even with `engine_host_code_allowed = False`. ## Impact - Arbitrary native code execution in any process that loads an untrusted `.engine` file - No existing scanner (ModelScan, etc.) detects this - Supply chain attack via malicious models on HuggingFace, model registries, etc.