Hugging Face's logo

sandeep1337
/
modelscan-bypass-memmap

Joblib
Model card Files
xet
Community
sandeep1337 commited on
Commit
cbc2746
·
verified ·
1 Parent(s): fb1103f

Upload README.md with huggingface_hub

Browse files
Files changed (1) hide show
  1. README.md +106 -0
README.md ADDED
@@ -0,0 +1,106 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # ModelScan Bypass - Memory-Mapped Array ⭐ PRIMARY FINDING
2
+
3
+ **Security Research - ModelScan Bypass Technique**
4
+
5
+ ## Overview
6
+
7
+ This repository contains a proof-of-concept demonstrating a bypass technique for ModelScan,
8
+ a popular ML model security scanner. This technique allows malicious pickle-based model files
9
+ to evade detection.
10
+
11
+ ## Technique
12
+
13
+ **Memory-mapped array bypass**
14
+
15
+ Uses joblib's memmap feature with malicious __reduce__ method
16
+
17
+ ## ModelScan Result
18
+
19
+ **SCANNED but found NO ISSUES ✅ (TRUE BYPASS)**
20
+
21
+ ## File
22
+
23
+ - `exploit_memmap_bypass.joblib`
24
+
25
+ ## Reproduction Steps
26
+
27
+ ### Testing with ModelScan
28
+
29
+ ```bash
30
+ # Install ModelScan
31
+ pip install modelscan
32
+
33
+ # Download the exploit file from this repository
34
+ # Then scan it
35
+ modelscan scan -p exploit_memmap_bypass.joblib
36
+ ```
37
+
38
+ ### Expected Result
39
+
40
+ SCANNED but found NO ISSUES ✅ (TRUE BYPASS)
41
+
42
+ ### Triggering the Exploit (⚠️ DO NOT RUN ON PRODUCTION)
43
+
44
+ ```python
45
+ import joblib
46
+
47
+ # WARNING: This will execute arbitrary code!
48
+ model = joblib.load('exploit_memmap_bypass.joblib')
49
+ ```
50
+
51
+ ## Technical Details
52
+
53
+ This exploit uses Python's pickle `__reduce__` method for RCE:
54
+
55
+ ```python
56
+ def __reduce__(self):
57
+ import os
58
+ return (os.system, ('echo "RCE executed!"',))
59
+ ```
60
+
61
+ **Why ModelScan misses this:**
62
+
63
+ Uses joblib's memmap feature with malicious __reduce__ method
64
+
65
+ ## Security Impact
66
+
67
+ **Severity**: HIGH
68
+
69
+ **Attack Vector**:
70
+ 1. Attacker creates malicious model using this technique
71
+ 2. Uploads to model hub (HuggingFace, etc.)
72
+ 3. Victim downloads and scans with ModelScan
73
+ 4. Scanner reports "No issues found!" or skips the file
74
+ 5. Victim loads model → RCE
75
+
76
+ ## Part of Larger Research
77
+
78
+ This is one of four bypass techniques discovered:
79
+
80
+ 1. [Compression Mismatch](https://huggingface.co/sandeep1337/modelscan-bypass-compression-mismatch)
81
+ 2. [Double Compression](https://huggingface.co/sandeep1337/modelscan-bypass-double-compression)
82
+ 3. [Corrupt Header](https://huggingface.co/sandeep1337/modelscan-bypass-corrupt-header)
83
+ 4. [Memmap Bypass ⭐](https://huggingface.co/sandeep1337/modelscan-bypass-memmap) - PRIMARY FINDING
84
+
85
+ ## Disclosure
86
+
87
+ This research is being submitted to Huntr's bug bounty program for responsible disclosure.
88
+
89
+ **Date**: December 25, 2024
90
+ **Researcher**: Security Research Team
91
+
92
+ ## References
93
+
94
+ - [Huntr Bug Bounty](https://huntr.com/)
95
+ - [ModelScan GitHub](https://github.com/protectai/modelscan)
96
+
97
+ ## Disclaimer
98
+
99
+ ⚠️ **For Security Research Only**
100
+
101
+ This file is provided for security research and vulnerability disclosure purposes only.
102
+ Do not use this technique for malicious purposes. Loading this file will execute code.
103
+
104
+ ---
105
+
106
+ **Status**: Under responsible disclosure to Huntr bug bounty program