Hugging Face's logo

sfwani
/
mfv-getattr-static-bypass-joblib

Joblib
security-research
mfv
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

MFV PoC: inspect.getattr_static Universal Bypass + Double BUILD Technique

WARNING: This repository contains proof-of-concept malicious model files for security research purposes only.

Vulnerability

Two novel pickle scanner bypass techniques:

Chain A: inspect.getattr_static (95 bytes)

chain_a_model.joblib uses inspect.getattr_static as a drop-in replacement for builtins.getattr that no scanner detects. Combined with importlib.import_module, it provides a universal import-to-function-call chain.

Chain B: Double BUILD (169 bytes)

chain_b_model.joblib uses a novel technique: two consecutive pickle BUILD opcodes on the same object. The first BUILD injects __setstate__ = exec into the object's __dict__, then the second BUILD triggers exec(code) because pickle's BUILD opcode calls __setstate__ if present.

Reproduction 

import joblib
# Chain A: touch /tmp/pwned via os.system
model = joblib.load("chain_a_model.joblib")

# Chain B: touch /tmp/pwned via exec
model = joblib.load("chain_b_model.joblib")

Scanner Results (both chains)

  • picklescan 1.0.4: 0 issues, 0 infected files
  • modelscan: "No issues found"
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support