| license: mit | |
| # ModelScan Pickle Blocklist Bypass PoCs | |
| Proof-of-concept pickle files demonstrating multiple bypasses of ModelScan's `unsafe_globals` blocklist. All files pass `modelscan -p <file>` with "No issues found" while achieving dangerous capabilities (RCE, file access, network exfil). | |
| ## Key Findings | |
| | File | Module | Impact | ModelScan | | |
| |------|--------|--------|-----------| | |
| | poc_ctypes_rce.pkl | ctypes.CDLL | Arbitrary command execution via libc.system() | CLEAN | | |
| | poc_importlib_import.pkl | importlib.import_module | Imports any blocked module (defeats entire blocklist) | CLEAN | | |
| | poc_io_file_read.pkl | _io.open | Arbitrary file read | CLEAN | | |
| | poc_codecs_file_read.pkl | codecs.open | Arbitrary file read | CLEAN | | |
| | poc_http_exfil.pkl | http.client.HTTPSConnection | Network data exfiltration | CLEAN | | |
| | poc_urllib_exfil.pkl | urllib.request.urlopen | HTTP data exfiltration | CLEAN | | |
| ## Reproduce | |
| ```bash | |
| pip install modelscan | |
| modelscan -p pocs/poc_ctypes_rce.pkl # "No issues found" | |
| python3 -c "import pickle; r=pickle.loads(open('pocs/poc_ctypes_rce.pkl','rb').read()); r.system(b'id')" | |
| ``` | |
| Tested on ModelScan 0.8.7, Python 3.12, Ubuntu 24.04. | |