| library_name: pytorch | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| license: mit | |
| # ModelScan Bypass PoC — _posixsubprocess.fork_exec | |
| **Security research for responsible disclosure via Huntr MFV program.** | |
| ## Vulnerability | |
| `_posixsubprocess.fork_exec` is not in modelscan's `unsafe_globals` blocklist. | |
| When a pickle file containing this global is scanned by modelscan, it reports "No issues found." | |
| However, loading the file with `pickle.loads()` / `torch.load()` triggers DIRECT fork() + exec() syscall — spawns arbitrary process. subprocess module is blocked but its C implementation _posixsubprocess is NOT.. | |
| ## Impact | |
| - **Severity**: CRITICAL | |
| - **Effect**: DIRECT fork() + exec() syscall — spawns arbitrary process. subprocess module is blocked but its C implementation _posixsubprocess is NOT. | |
| ## Bypass Class | |
| `subprocess` is blocked with `*` wildcard, but `_posixsubprocess` (the C extension that subprocess uses internally) is not in the blocklist. This function directly calls fork() and execvp() — full arbitrary command execution. | |
| ## Reproduction | |
| ```bash | |
| pip install modelscan | |
| modelscan scan -p bypass_poc.pkl | |
| # Output: "No issues found!" | |
| ``` | |