InternLM LMDeploy PT File Handler Deserialization Vulnerability in Versions Through 0.7.1

A critical deserialization vulnerability has been identified in InternLM LMDeploy versions through 0.7.1. The issue resides in the PT File Handler component, specifically within the load_weight_ckpt function in lmdeploy/lmdeploy/vl/model/utils.py. This vulnerability allows for arbitrary code execution by deserializing untrusted data from maliciously crafted .pt files. The flaw requires local exploitation, as the vulnerable function must be called with a harmful .pt file as an argument.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where LMDeploy is running. If a malicious .pt file is loaded using the vulnerable function, the embedded code will be executed, potentially leading to unauthorized access, data leakage, or a complete system compromise.

Reproduction

To reproduce this vulnerability, create a .pt file containing a custom class with a malicious __reduce__ method that executes arbitrary commands when the file is loaded. This can be done using a Python script that saves such an object with PyTorch's save function. Once the malicious file is created, it can be loaded using the load_weight_ckpt function, which will execute the embedded code.