Upload README.md with huggingface_hub
Browse files
README.md
ADDED
|
@@ -0,0 +1,23 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# Pickle Scanner Bypass PoC
|
| 2 |
+
|
| 3 |
+
## Vulnerability
|
| 4 |
+
Malicious `.pkl` file achieves Arbitrary Code Execution via `pickle.load()`,
|
| 5 |
+
while bypassing both picklescan 1.0.4 and modelscan 0.8.8.
|
| 6 |
+
|
| 7 |
+
## Technique
|
| 8 |
+
Uses `marshal.loads` + `types.FunctionType` + `importlib.import_module` chain.
|
| 9 |
+
All three globals are Suspicious (not Dangerous) in picklescan,
|
| 10 |
+
and absent from modelscan unsafe_globals.
|
| 11 |
+
|
| 12 |
+
## Scanner Results
|
| 13 |
+
- picklescan 1.0.4: 0 dangerous globals
|
| 14 |
+
- modelscan 0.8.8: No issues found
|
| 15 |
+
|
| 16 |
+
## Reproduction
|
| 17 |
+
```python
|
| 18 |
+
import pickle
|
| 19 |
+
with open('malicious_model.pkl', 'rb') as f:
|
| 20 |
+
pickle.load(f) # ACE
|
| 21 |
+
```
|
| 22 |
+
|
| 23 |
+
Versions: picklescan 1.0.4, modelscan 0.8.8, Python 3.12
|