| license: mit | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| # modelscan-bypass-importlib-socket | |
| ## Security Research — Modelscan Bypass PoC | |
| **Severity**: HIGH | |
| **Module**: `importlib + operator.methodcaller → socket` | |
| **Description**: Network info leak via importlib.import_module("socket") + methodcaller | |
| **Impact**: Bypasses socket.* blocklist. Can create sockets, connect to external hosts, exfiltrate data. | |
| ## Modelscan Result | |
| ``` | |
| $ modelscan scan -p pytorch_model.bin | |
| No issues found! ✅ (FALSE NEGATIVE) | |
| ``` | |
| **Tested against**: modelscan 0.8.8 (latest) | |
| ## How It Works | |
| The pickle file uses `importlib + operator.methodcaller → socket` which is NOT in modelscan's unsafe_globals blocklist. | |
| When loaded via `torch.load()` or `pickle.loads()`, it executes the payload. | |
| ## Responsible Disclosure | |
| This PoC is part of responsible security research submitted via Huntr MFV program | |
| to help ProtectAI improve modelscan's detection capabilities. | |