hacnho's picture
Add scanner bypass PoC bundle
97637e3 verified
|
Raw
History Blame Contribute Delete
1.24 kB
# Pickle scanner bypass via Tensorizer TensorSerializer.write_tensor writes attacker-controlled tensorizer files while scanners report clean
This repository contains a malicious pickle that bypasses both `picklescan==1.0.4` and `modelscan==0.8.8`, then writes an attacker-controlled model artifact during normal `pickle.load()`.
The pickle uses raw `STACK_GLOBAL` opcodes for:
```text
tensorizer.serialization TensorSerializer.write_tensor
```
It does not use `builtins.getattr`, `os`, `subprocess`, `eval`, or any global currently blocked by picklescan 1.0.4.
## Reproduce
```bash
python3 -m venv /tmp/tensorizer-write-tensor-scanner-bypass-venv
/tmp/tensorizer-write-tensor-scanner-bypass-venv/bin/python -m pip install --upgrade pip
/tmp/tensorizer-write-tensor-scanner-bypass-venv/bin/python -m pip install -r requirements.txt
/tmp/tensorizer-write-tensor-scanner-bypass-venv/bin/python reproduce_tensorizer_write_tensor_scanner_bypass.py
```
Expected output includes:
```text
Infected files: 0
Dangerous globals: 0
No issues found!
REPRO_OK=True
```
Marker path(s):
```text
/tmp/mfv_tensorizer_write_tensor_scanner_bypass_20260624.tensors
```
Marker text:
```text
MFV_TENSORIZER_WRITE_TENSOR_SCANNER_BYPASS_20260624
```