File size: 589 Bytes
25137ea | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | ---
tags:
- security-research
- proof-of-concept
license: mit
---
# modelscan Bypass PoC: _bootsubprocess.Popen RCE
**Security research only. Do not use maliciously.**
This model file demonstrates a bypass of protectai/modelscan v0.7.6.
## Vulnerability
modelscan blocks `subprocess` but does NOT block `_bootsubprocess`, a CPython internal module that provides the same `Popen` functionality.
## Verification
```bash
# Scan - reports no issues
modelscan scan -p model.pkl
# But executes arbitrary commands on load
python3 -c "import pickle; pickle.load(open('model.pkl','rb'))"
```
|