| license: mit | |
| tags: | |
| - security-research | |
| - proof-of-concept | |
| # ModelScan Bypass PoC: operator.methodcaller + importlib.import_module | |
| **⚠️ SECURITY RESEARCH ONLY — This repository contains a proof-of-concept for a modelscan scanner bypass.** | |
| ## Vulnerability | |
| modelscan v0.8.8 fails to detect malicious pickle payloads that use: | |
| - `importlib.import_module()` to dynamically load blocked modules | |
| - `operator.methodcaller()` to invoke methods on imported modules | |
| Both references pass the scanner's blocklist check, resulting in **0 issues reported** while the payload achieves arbitrary command execution. | |
| ## Files | |
| - `create_poc.py` — Script to generate the malicious model files | |
| - `pytorch_model.bin` — PyTorch-format PoC (passes modelscan, executes with torch.load) | |
| ## Reproduction | |
| ```bash | |
| # Install modelscan | |
| pip install modelscan | |
| # Scan the model file — reports "No issues found" | |
| modelscan scan -p pytorch_model.bin | |
| # Load with torch — executes arbitrary command | |
| python3 -c "import torch; torch.load('pytorch_model.bin', weights_only=False)" | |
| ``` | |
| ## Disclosure | |
| Submitted to ProtectAI via Huntr responsible disclosure program. | |