Add README with bypass details

f578d70 verified about 2 months ago

1.22 kB

license: mit
tags:
  - security-research
  - modelscan-bypass

Modelscan Bypass: code.InteractiveInterpreter + operator.methodcaller

Summary

This model file bypasses ProtectAI modelscan 0.7.6 (latest) scanner while achieving arbitrary code execution via Python's code.InteractiveInterpreter module combined with operator.methodcaller.

Bypass Chain

code.InteractiveInterpreter() — creates a Python interactive interpreter instance
operator.methodcaller("runsource", PAYLOAD) — creates a callable that invokes .runsource() with arbitrary Python code
Chain executes: interp.runsource(payload) → arbitrary code execution

Why It Works

code module is NOT in modelscan's unsafe_globals blocklist
operator.methodcaller is NOT blocked (only operator.attrgetter is blocked)
InteractiveInterpreter.runsource() calls compile() then exec() internally
modelscan only checks module+function pairs against its blocklist

Modelscan Result

Impact

Full arbitrary code execution on model load via pickle.load() or torch.load().

Affected

modelscan 0.7.6 (latest on PyPI as of 2026-04-10)

Responsible Disclosure

Submitted to Huntr for ProtectAI review.