| tags: | |
| - security-research | |
| - modelscan-bypass | |
| # modelscan Bypass: sqlite3 Database-Mediated File Write + Native Code RCE | |
| ## Security Research β Responsible Disclosure | |
| This repository contains proof-of-concept pickle files demonstrating that modelscan v0.8.8 | |
| fails to detect malicious payloads using `sqlite3.connect()` + `operator.methodcaller()`. | |
| ### Files | |
| - `sqlite3_attach_bypass.pkl` β Arbitrary file creation via ATTACH DATABASE (guaranteed to work) | |
| - `sqlite3_rce_bypass.pkl` β Native code execution via load_extension (requires extension-enabled Python) | |
| ### Attack Category | |
| **Database-mediated arbitrary file write + native code RCE** β novel bypass class. | |
| ### Scanner Result | |
| ``` | |
| modelscan scan -p sqlite3_attach_bypass.pkl | |
| No issues found! π | |
| ``` | |
| ### Root Cause | |
| `sqlite3` module is completely absent from modelscan's `unsafe_globals` blocklist. | |
| `operator.methodcaller` is also not blocked (only `attrgetter` is listed). | |
| ### Impact | |
| - Arbitrary file creation at any writable path | |
| - Attacker-controlled data injection into files | |
| - Native shared library loading (full RCE) via load_extension | |
| - Two-stage chain: combine with _io/pathlib bypass to write .so, then load via sqlite3 | |