| license: mit | |
| tags: [security-research, picklescan-bypass, modelscan-bypass, poc] | |
| # PoC: pickle scanner bypass (picklescan + modelscan) — `pathlib.Path.write_bytes` + `sqlite3` load_extension | |
| Security-research artifact for a huntr Model File Vulnerability disclosure. `malicious.pkl` is a self-contained | |
| pickle that **both `picklescan` 1.0.4 and `modelscan` 0.8.8 report as CLEAN** yet executes native code on | |
| `pickle.load`: `pathlib.Path.write_bytes` writes an embedded SQLite extension to `/tmp`, then `sqlite3` | |
| `load_extension` loads it. The payload is BENIGN — it only writes a marker file (`/tmp/oneshot_marker`) to | |
| demonstrate code execution. Do not load untrusted pickles. | |