Execution of Arbitrary Code via Model Config Architecture Targets

Overview

While a traditional Zip Slip attack (PAIT-EXDIR-100) attempts to manipulate standard OS files by extracting paths backwards (../../), the PAIT-EXDIR-101 vulnerability focuses exclusively on poisoning the metadata and configuration structures inherent to the extracted Machine Learning model.

Modern deep learning frameworks depend heavily on configuration files (such as config.json, generation_config.json, or proprietary .yaml files) loaded concurrently with the tensor weights to understand how a model is engineered. Eresus Sentinel generates a PAIT-EXDIR-101 alert when it detects a model archive containing a maliciously crafted configuration object that explicitly instructs the interpreter to instantiate custom code architectures or execute local shell hooks.

The Attack Vector: Poisoned Configurations

Attackers inject hidden executable pointers (like an eval() string or a dynamic library hook) directly into the model's setup configurations. When the ML framework extracts the seemingly benign model archive locally, the software logic reads the config.json to properly structure the tensor operations. The backend evaluates the attacker's string as native functionality, triggering Arbitrary Code Execution (ACE) without the data scientist ever formally interacting with the weights themselves.

How The Attack Works

Instead of trying to overwrite the host's /etc/passwd file via extraction pathways, the cybercriminal simply places standard .py script wrappers masquerading as custom configuration logic inside the model folder.

sequenceDiagram
    participant Attacker C2
    participant Model_Hub as Community Registry
    participant ML_Pipeline as Model Loader logic 
    participant Python_Eval as Config Evaluator

    Attacker C2->>Model_Hub: Uploads valid model with weaponized 'config.json'
    ML_Pipeline->>Model_Hub: Pulls the latest model package locally
    ML_Pipeline->>ML_Pipeline: Extracts model cleanly into its own directory 
    ML_Pipeline->>Python_Eval: Parses `config.json` to build the neural logic
    Python_Eval->>Python_Eval: Executes 'custom_eval_string' hidden in JSON
    Python_Eval->>Python_Eval: Shell code evaluates with Host Permissions
    Python_Eval-->>Attacker C2: Covert Remote Code Execution channel is established

Key Points

Perfect Disguise: The model completely lacks standard Zip Slip path characters. It places files exactly where it is supposed to (in the model directory), allowing it to completely bypass archive structural scanners. The trap exists deeply inside the logical interpretation process afterward.
Supply Chain Nightmare: This vector exploits the inherent trust that popular libraries give to configuration formats. Because the model requires the metadata to boot correctly, the execution parameter acts as a mandatory checkpoint during standard instantiation.
RCE Amplification: Executable config strings run directly on the orchestration container (PyTorch Runtime, Keras Builder), utilizing whatever IAM or Active Directory privileges the parent operation holds during data training.

Impact

A weaponized configuration file completely compromises the host infrastructure running the ML pipeline. Attackers can hijack the parsing event to instantly drop backdoors (Remote Code Execution payloads), pivot laterally into localized database shards, or perform sweeping internal network scanning operations. This creates a severe intellectual property breach capability, as the model logic simultaneously allows unhindered command capability disguised as framework-level operations.

Best Practices

Defend against Config Object Executable Targets by decoupling configuration loading from executable logic handling:

Strict Configuration Parsers: Never utilize unsafe methods like Python's built-in eval() or YAML's load() (which supports execution) when parsing incoming metadata. Strictly map model configs exclusively using yaml.safe_load() or strictly typed JSON parsers (json.loads).
Disable Dynamic Logic (Custom Code execution): Popular frameworks (like Hugging Face transformers) often feature flags (e.g., trust_remote_code=True). Unless strictly necessary and comprehensively vetted, always disable remote executable code in your organization's defaults.
Model Checksums (Hashes): Leverage stringent MLOps CI/CD rules validating cryptographic signatures of config.json matrices before initialization, ensuring nothing was secretly appended during transit.

Remediation

If an Eresus Sentinel PAIT-EXDIR-101 alarm registers, it signifies the structural logic pipeline isolated a poisoned model architecture attempting execution. Stop the instantiation container to guarantee no payload leaked out during parsing. Audit the repository that distributed the infected artifact and immediately flag it as hostile within your organizational dependency manager. Review process telemetry to ensure no outbound connections were verified immediately following the detection event.

SSS

Bu risk sadece prompt injection ile mi sınırlı?

Hayır. AI güvenliğinde prompt injection önemli bir başlangıçtır ama tek başına resmi anlatmaz. Retrieval katmanı, tool izinleri, model artefact güveni, loglarda hassas veri, kullanıcı yetkisi ve entegrasyon sınırları birlikte değerlendirilmelidir.

İlk teknik kontrol ne olmalı?

Önce sistemin hangi veriye eriştiği, hangi aksiyonları alabildiği ve bu aksiyonların hangi kimlikle çalıştığı haritalanmalıdır. Bu harita olmadan yapılan test genellikle birkaç prompt denemesinden öteye geçemez.

Ne zaman profesyonel destek gerekir?

AI uygulaması müşteri verisine, iç dokümana, üretim API’lerine veya otomatik aksiyon alan agent akışlarına erişiyorsa profesyonel güvenlik incelemesi gerekir. Bu noktada risk artık model cevabı değil, kurum içi yetki ve veri sınırıdır.