metadata
license: mit
ModelScan Pickle Blocklist Bypass PoCs
Proof-of-concept pickle files demonstrating multiple bypasses of ModelScan's unsafe_globals blocklist. All files pass modelscan -p <file> with "No issues found" while achieving dangerous capabilities (RCE, file access, network exfil).
Key Findings
| File | Module | Impact | ModelScan |
|---|---|---|---|
| poc_ctypes_rce.pkl | ctypes.CDLL | Arbitrary command execution via libc.system() | CLEAN |
| poc_importlib_import.pkl | importlib.import_module | Imports any blocked module (defeats entire blocklist) | CLEAN |
| poc_io_file_read.pkl | _io.open | Arbitrary file read | CLEAN |
| poc_codecs_file_read.pkl | codecs.open | Arbitrary file read | CLEAN |
| poc_http_exfil.pkl | http.client.HTTPSConnection | Network data exfiltration | CLEAN |
| poc_urllib_exfil.pkl | urllib.request.urlopen | HTTP data exfiltration | CLEAN |
Reproduce
pip install modelscan
modelscan -p pocs/poc_ctypes_rce.pkl # "No issues found"
python3 -c "import pickle; r=pickle.loads(open('pocs/poc_ctypes_rce.pkl','rb').read()); r.system(b'id')"
Tested on ModelScan 0.8.7, Python 3.12, Ubuntu 24.04.