| tags: | |
| - security-research | |
| - vulnerability-poc | |
| # ModelScan Scanner Bypass β Arbitrary Code Execution PoC | |
| **WARNING: This repository contains proof-of-concept files for a security vulnerability. Do NOT load these files with pickle.load() or joblib.load() on a production system.** | |
| ## Vulnerability | |
| ModelScan's `unsafe_globals` blocklist does not include `ctypes` or `operator.methodcaller`, allowing a malicious pickle/joblib model file to achieve arbitrary code execution while passing ModelScan's safety scanner with zero detections. | |
| ## Files | |
| - `modelscan-bypass-rce.pkl` β 66-byte pickle payload that executes `id` via `ctypes.CDLL(None).system()` | |
| - `modelscan-bypass-rce.joblib` β Same payload in joblib format | |
| - `modelscan-bypass-poc.py` β PoC script with generate/verify/analyze commands | |
| ## Affected | |
| - ModelScan <= 0.8.8 (all versions) | |
| - All pickle-based model formats: .pkl, .joblib, .pickle, .dat, .data | |
| ## Reproduction | |
| ```bash | |
| # Generate malicious model files | |
| python3 modelscan-bypass-poc.py generate | |
| # Scan with ModelScan β should report NO issues | |
| modelscan -p ./malicious-model.joblib | |
| # Verify RCE | |
| python3 modelscan-bypass-poc.py verify | |
| ``` | |
| ## Responsible Disclosure | |
| This PoC is submitted via huntr.com as part of the Model File Vulnerability (MFV) program. | |