hacnho commited on
Commit
c5c6f74
·
verified ·
1 Parent(s): cfce766

Upload README.md with huggingface_hub

Browse files
Files changed (1) hide show
  1. README.md +11 -0
README.md ADDED
@@ -0,0 +1,11 @@
 
 
 
 
 
 
 
 
 
 
 
 
1
+ ---
2
+ license: mit
3
+ tags: [security-research, picklescan-bypass, modelscan-bypass, poc]
4
+ ---
5
+ # PoC: pickle scanner bypass (picklescan + modelscan) — `pathlib.Path.write_bytes` + `sqlite3` load_extension
6
+
7
+ Security-research artifact for a huntr Model File Vulnerability disclosure. `malicious.pkl` is a self-contained
8
+ pickle that **both `picklescan` 1.0.4 and `modelscan` 0.8.8 report as CLEAN** yet executes native code on
9
+ `pickle.load`: `pathlib.Path.write_bytes` writes an embedded SQLite extension to `/tmp`, then `sqlite3`
10
+ `load_extension` loads it. The payload is BENIGN — it only writes a marker file (`/tmp/oneshot_marker`) to
11
+ demonstrate code execution. Do not load untrusted pickles.