Upload README.md with huggingface_hub
Browse files
README.md
ADDED
|
@@ -0,0 +1,11 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
---
|
| 2 |
+
license: mit
|
| 3 |
+
tags: [security-research, picklescan-bypass, modelscan-bypass, poc]
|
| 4 |
+
---
|
| 5 |
+
# PoC: pickle scanner bypass (picklescan + modelscan) — `pathlib.Path.write_bytes` + `sqlite3` load_extension
|
| 6 |
+
|
| 7 |
+
Security-research artifact for a huntr Model File Vulnerability disclosure. `malicious.pkl` is a self-contained
|
| 8 |
+
pickle that **both `picklescan` 1.0.4 and `modelscan` 0.8.8 report as CLEAN** yet executes native code on
|
| 9 |
+
`pickle.load`: `pathlib.Path.write_bytes` writes an embedded SQLite extension to `/tmp`, then `sqlite3`
|
| 10 |
+
`load_extension` loads it. The payload is BENIGN — it only writes a marker file (`/tmp/oneshot_marker`) to
|
| 11 |
+
demonstrate code execution. Do not load untrusted pickles.
|