Upload README.md with huggingface_hub
Browse files
README.md
ADDED
|
@@ -0,0 +1,30 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# Joblib Scanner Bypass PoC
|
| 2 |
+
|
| 3 |
+
## Vulnerability
|
| 4 |
+
Malicious `.joblib` file achieves **Arbitrary Code Execution** when loaded via `joblib.load()`,
|
| 5 |
+
while **bypassing both picklescan 1.0.4 and modelscan 0.8.8**.
|
| 6 |
+
|
| 7 |
+
## Technique
|
| 8 |
+
Uses `marshal.loads` + `types.FunctionType` + `importlib.import_module` chain.
|
| 9 |
+
All three globals are classified as Suspicious (not Dangerous) by picklescan,
|
| 10 |
+
and are NOT present in modelscan unsafe_globals configuration.
|
| 11 |
+
|
| 12 |
+
## Scanners Bypassed
|
| 13 |
+
- **picklescan 1.0.4**: 0 dangerous globals detected
|
| 14 |
+
- **modelscan 0.8.8**: No issues found
|
| 15 |
+
|
| 16 |
+
## Reproduction
|
| 17 |
+
```python
|
| 18 |
+
import joblib
|
| 19 |
+
# WARNING: This executes arbitrary code!
|
| 20 |
+
joblib.load('malicious_model.joblib')
|
| 21 |
+
```
|
| 22 |
+
|
| 23 |
+
## Impact
|
| 24 |
+
Any application using `joblib.load()` on untrusted files is vulnerable to ACE,
|
| 25 |
+
even when scanning with picklescan and modelscan.
|
| 26 |
+
|
| 27 |
+
## Globals Used (all bypass detection)
|
| 28 |
+
1. `marshal.loads` - Deserializes bytecode (picklescan: Suspicious, modelscan: not flagged)
|
| 29 |
+
2. `types.FunctionType` - Creates executable function (picklescan: Suspicious, modelscan: not flagged)
|
| 30 |
+
3. `importlib.import_module` - Provides builtins for function context (not flagged by either)
|