ModelScope Ms-Swift Arbitrary Code Execution Vulnerability in ModelFileSystemCache

A remote code execution vulnerability has been identified in the ModelScope ms-swift library, affecting versions through 2.6.1. The issue arises from the deserialization of untrusted data in the 'load_model_meta()' function of the 'ModelFileSystemCache()' class. Attackers can exploit this vulnerability by crafting a malicious serialized '.mdl' payload, which, when loaded, executes arbitrary code on the victim's machine. The exploitation occurs without disrupting the normal training process, making it difficult for users to detect the unauthorized code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected machine.

Reproduction

To reproduce this vulnerability, first create a malicious '.mdl' file using a Python script that exploits the deserialization process. This file should be crafted to include code that, when executed, performs a noticeable action, such as creating a directory. Once the malicious '.mdl' file is prepared, replace the original file in the model directory with the crafted one. When the 'model_id_or_path' parameter is used to reference the local model directory during training, the malicious code will be executed, leading to remote code execution. Importantly, this exploitation occurs stealthily, without interrupting the training workflow.

Remediation

Users are advised to update to version 2.6.2 or later, where this vulnerability has been addressed.