| license: mit | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| - pickle-safety | |
| # modelscan-bypass-code-interpreter | |
| ## Modelscan Bypass PoC β code.InteractiveInterpreter | |
| **Severity**: CRITICAL | |
| **Impact**: Full RCE via exec() β code.InteractiveInterpreter.runsource() calls exec() on arbitrary Python code | |
| **modelscan version**: 0.7.6 (latest on PyPI) | |
| **Result**: "No issues found!" β (false negative) | |
| ### Chain | |
| `code.InteractiveInterpreter()` β `operator.methodcaller("runsource", malicious_code)` β `exec(malicious_code)` | |
| ### Why It Works | |
| `code.InteractiveInterpreter` is NOT in modelscan's `unsafe_globals` blocklist. | |
| Neither `code` module nor `operator.methodcaller` are blocked. | |
| ### Reproduction | |
| ```bash | |
| pip install modelscan | |
| modelscan scan -p bypass_poc.pkl | |
| # Output: "No issues found!" | |
| python3 -c "import pickle; pickle.loads(open('bypass_poc.pkl','rb').read())" | |
| # Executes arbitrary code | |
| ``` | |
| ### Responsible Disclosure | |
| This PoC is part of a responsible disclosure to ProtectAI via Huntr MFV program. | |