| license: mit | |
| tags: | |
| - security-research | |
| - modelscan-bypass | |
| # Modelscan Bypass: pkgutil.resolve_name β Universal RCE | |
| **β οΈ SECURITY RESEARCH ONLY β DO NOT LOAD UNTRUSTED MODELS** | |
| ## Vulnerability | |
| `pkgutil.resolve_name()` can resolve ANY Python callable at runtime. This makes the ENTIRE modelscan blocklist irrelevant β a single function call can reach `os.system`, `subprocess.call`, or any other blocked callable. | |
| ## Impact | |
| - **CVSS: 10.0** β Universal blocklist bypass | |
| - **Type: RCE** β Arbitrary command execution | |
| - Modelscan result: **"No issues found"** on both .pkl and .bin formats | |
| ## Chain | |
| ``` | |
| pkgutil.resolve_name("os.system") β <built-in function system> | |
| os.system("command") β RCE | |
| ``` | |
| ## Affected | |
| - modelscan (all versions through 0.8.7) | |
| - Any scanner using module-name blocklists | |
| ## Responsible Disclosure | |
| This repo uses gated access. Findings reported to ProtectAI via Huntr. | |